Yahoo crawls private links

[13-Oct-2017 05:03:34 Pacific/Auckland] Fatal error: Could not find order in database (ID: 2) in ~/includes/controllers/ctrl_order.inc.php (Line 97)
~/includes/controllers/ctrl_order.inc.php (Line 9) in load()
~/pages/printable_order_copy.inc.php (Line 12) in __construct()
~/index.php (Line 35) in include()
Request: GET /printable_order_copy?order_id=2&checksum=3d80c9835163ff74ff9b2ebecb28eab8&media=print HTTP/1.1
Client: 72.30.14.126 (b163.crawl.yahoo.net)
User Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

tim

I have no idea why yahoo crawls private links flagged for noindex and only passed out over email.

This is non of their business and I would consider this a privacy intrusion.

The error message is fine.

i love how you change my posts and titles to suit.
however sweeping under the carpet doesnt give a clean room.
the message says could not find order 2 - thats because it has been deleted.

so - yahoo is doing its job, searching and indexing site

the point is...
HOW can yahoo EVER have access to printable order copy with a checksum by a simple get request? How can they ever know the checksum? How can they crawl the entire database to get this information?

This information should be locked away and only accessible by the customer, and site manager.
A simple no-index is not enough protection for customers address and contact details, nor a shops sales records.

Yes the error message is fine.

tim

Yahoo accessed the printable link sent in a private email to the customer email address. It contains all info in the URL to direct access the link. Whoever possesses the link can view it.

While accessed the order had been deleted so LiteCart logged an attempt to retrieve a deleted order.

If you feel you want to require a login for viewing guests orders, you are in trouble. If all your guests have an account you can require login by sticking the command customer::require_login() inside pages/printable_order_copy.inc.php. That should not be necessary as it is checksum protected and a hacker would need some sort of brute force operation for each and every order. A big waste of time.

I love how litecart error reporting works

not interested in login for customers viewing order.

was it sent to a yahoo address?

tim

I dunno. But the only way to grab this link was for Yahoo to get it from some users inbox. Unless the user posted it in some forum or something.

Dit topic is gesloten wegens langdurige inactiviteit. Erop posten is niet mogelijk.
Bekijk de code op GitHub