topic Re: QVC Website - Serious Security Vulnerability in Community Chat

QVC Website - Serious Security Vulnerability

Ketra — Mon, 18 Jun 2018 14:56:39 GMT

The password issue has been going on a long time on your website. It was fixed briefly and now its once again a problem. It is a major security vulnerability for all QVC customers and nothing is being done about it. It’s not that hard to fix and it makes customers worry that QVC is not taking online security seriously. Bad actors can easily access passwords when they are shown in the clear. Why in heaven’s name would QVC have an option to show someones password! The only reason why someone would have that option on a website is that they want customers passwords to be compromised. It makes no sense at all. It makes me mad as hell when I’m logging onto the QVC website and my password is showing in the clear. I’ve been patient about this, but QVC better friggin fix this ASAP or it’s going to be a FOX News story. No other online shopping sites Amazon, Macys...... have ever done anything like this. Also when customers are calling in to complain about the problem they are told it’s a problem with their computer. I called in again today and was told the same thing. It’s really bad when QVC’s Customer Service personnel are not even aware of a known security vulnerability on the QVC website. I don’t think QVC departments even know how to communicate with one another anymore. I won’t be doing business with a company that does not exercise cyber security on it’s website. This is a major security violation on your website. Fix it QVC!

Re: QVC Website - Serious Security Vulnerability

goldensrbest — Mon, 18 Jun 2018 15:00:15 GMT

How are you seeing this ,where more details please,i do not see this.

Re: QVC Website - Serious Security Vulnerability

Krimpette — Mon, 18 Jun 2018 15:02:30 GMT

I see it on my MacBook Pro. You seem to have to decide on "show" or "hide". I'd rather it be hidden all the time as before. Why would I want to "show" it???

Re: QVC Website - Serious Security Vulnerability

QVCkitty1 — Mon, 18 Jun 2018 15:07:11 GMT

I know. I thought it was fixed, what is the problem ?????

Re: QVC Website - Serious Security Vulnerability

Ketra — Mon, 18 Jun 2018 15:08:43 GMT

When logging on to the website it automatically shows the password I’m typing in.

Next to the password it says “show” or “hide”. There should never be an option to show a password. It comes up automatcally in the “show” option so when typing your password it shows up in the clear. Each time when logging in you must select the “hide” option or it will show your password. This is a known problem to QVC and the fixed it once, however it has resumed. It’s been reported numerous times on the “Customer Care Forum.

Re: QVC Website - Serious Security Vulnerability

CelticCrafter — Mon, 18 Jun 2018 15:10:06 GMT

@Krimpette wrote:
I see it on my MacBook Pro. You seem to have to decide on "show" or "hide". I'd rather it be hidden all the time as before. Why would I want to "show" it???

I've tried it and next time you go to sign it's back to the show option.

For me, it only happens if I'm incognito on my browser.

Re: QVC Website - Serious Security Vulnerability

goldensrbest — Mon, 18 Jun 2018 15:10:47 GMT

If it is the show or hide ,i see that but isn't that just because we choose that?

Re: QVC Website - Serious Security Vulnerability

Ketra — Mon, 18 Jun 2018 15:12:31 GMT

The problem is QVC is not taking our online security seriously. They are not protecting our information properly and they better start taking cyber security seriously or I and thousands others won’t be shopping here anymore.

Re: QVC Website - Serious Security Vulnerability

sidsmom — Mon, 18 Jun 2018 15:14:59 GMT

I would think for many of QVC members who are visually impaired

or have dexterity issues, the visual password function would be

welcomed. IMO.

Re: QVC Website - Serious Security Vulnerability

Ketra — Mon, 18 Jun 2018 15:17:33 GMT

@goldensrbest wrote:
If it is the show or hide ,i see that but isn't that just because we choose that?

@goldensrbest No, it comes up each time defaulting to showing your password. There should never even be an option asking if you want to show your password. Only cyber thieves would plant such an option on a website. You would never want your passwords spelled out in the clear. Easy for cyber thieves to snapshot your password.

Re: QVC Website - Serious Security Vulnerability

151949 — Mon, 18 Jun 2018 15:22:11 GMT

Yep, my password shows up right under where I am supposed to type it in.

Re: QVC Website - Serious Security Vulnerability

Ketra — Mon, 18 Jun 2018 15:29:49 GMT

@sidsmom wrote:
I would think for many of QVC members who are visually impaired
or have dexterity issues, the visual password function would be
welcomed. IMO.

@sidsmom The passwords are defaulting to showing each time you come to the website. That is the biggest security vulnerabilty there is. Bad actors who obtain those will have all of your data. There is something QVC software folks can include in “customer preferences” that they could select on or off for those who have dexterity issues. They will still be vulnerable to hacking of all of their data if passwords are shown in the clear, but that is a risk they themselves must choose. QVC acknowledges this as a major security vulnerabilty as they fixed this once before.

Re: QVC Website - Serious Security Vulnerability

Mominohio — Mon, 18 Jun 2018 15:33:42 GMT

I thought it was fixed too.

The option to show or hide isn't really a problem for me, it is the fact that every time you go to log in, it comes up showing the entire password. The show function only came up if you chose it, then it only showed what letters you were typing in, one at a time, the blanked out, so you could see each key stroke you made, but never left the entire work/number sequence up. It should always be hidden, and was until recently.

I too, would like to know what gives, that Q can't seem to fix this.

Re: QVC Website - Serious Security Vulnerability

sunshine45 — Mon, 18 Jun 2018 15:41:53 GMT

when i use the firefox browser to access qvc via my laptop it does not show unless i click on SHOW password.

Re: QVC Website - Serious Security Vulnerability

tansy — Mon, 18 Jun 2018 15:45:20 GMT

I don’t ‘get’ this. As I was signing in, I decided to choose show my password. As I typed a letter it would show for a second before turning to a dot. When I chose the hide option, my password showed😏

Ipad using Safari.

Re: QVC Website - Serious Security Vulnerability

Allegheny — Mon, 18 Jun 2018 15:45:04 GMT

I am not techy so my question is besides being visable to the person signing in on their PC who else has sight of it?

Re: QVC Website - Serious Security Vulnerability

Montana — Mon, 18 Jun 2018 15:48:13 GMT

Sometimes the “Show” or “Hide” functions are reversed. If it says “Hide” the entire password is visible. If switched to “Show” you can’t see it.

Re: QVC Website - Serious Security Vulnerability

dooBdoo — Mon, 18 Jun 2018 17:18:55 GMT

@Ketra, Websites normally use "masking" to hide a password as it's being entered, so we see asterisks or dots instead of the characters.

However, sometimes web hosting software does provide the option to "show."

On occasion, as @sidsmom said, someone might want to see the password -- for various reasons, one being that if we get the alert that the password was wrong and we know we only get a few attempts before being locked out, we might need to slowly type it and see it as we type, to be sure we're not entering it incorrectly or perhaps our keyboard is fouling up. We can't see that when the password is masked.

However -- and this is important -- the default should ALWAYS be to mask the password. If an option is offered, the user should have to actively select it before the password is displayed.

Lithium Hosting provides the web services for QVC. They provide the sites for many other companies -- an good example to use for comparison is eBay, because eBay's login screen (if you go there and login, you'll see a "show" option) and also their community forums are similar to QVC's. However, QVC clearly is using the most basic (can we say "cheap"?) version of the software and also the cheapest, least responsive technical support.

The biggest security risk in showing the password is shoulder-surfing, eyeballs seeing it or a video of the process. In some cases, a hacker could use visuals to try and capture logins, but usually they have a more sophisticated method of doing this. Even so, this default to displaying our passwords is just another indication of sloppy, careless programming.

Re: QVC Website - Serious Security Vulnerability

hopi — Mon, 18 Jun 2018 15:52:09 GMT

It does not matter if you choose show or hide because it always ends up showing and hiding. Makes no sense.

Re: QVC Website - Serious Security Vulnerability

151949 — Mon, 18 Jun 2018 15:52:09 GMT

I tried flipping that show/hide to hide my password, then turned computer off and when I came back to sign on - it was there again.

topic Re: ****QVC Website - Serious Security Vulnerability**** in Community Chat

****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

Re: ****QVC Website - Serious Security Vulnerability****

topic Re: QVC Website - Serious Security Vulnerability in Community Chat

QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability

Re: QVC Website - Serious Security Vulnerability