This was posted 13 years 5 months 27 days ago, and might be an out-dated deal.

Related
  • expired

32GB Lexar Class 10 Micro SDHC with USB Adapter @ $69 Free Shipping

200
OZBLXMICRO32G

Please note that the website had some security loopholes. Please read the rep explanation here and proceed with caution.


This is the NEW batch of 32GB Lexar Micro SDHC Class 10 with USB adapter.
Product Code: LSDMI32GBCANZR

Product Information:
http://au.lexar.com/node/2486?category=1715

Pricing Information:
When comparing pricing, please note the Product Code.
The card listed is LSDMI32GBCANZR - NOT the discontinued model LSDMI32GBSBNAR
http://staticice.com.au/cgi-bin/search.cgi?q=lexar+micro+sd+…

Coupon:
OZBLXMICRO32G

Postage Information:
Registered Post

Conditions:
Limited to 100 units. Max 2 units per transacton.

MOD: Changed link directly to product.

Related Stores

IT Device
IT Device

closed Comments

  • Rules…

    http://www.ozbargain.com.au/wiki/help:rules_guidelines

    LINK directly to the deal.

  • Any benchmark info?

  • Awesome!

  • Nice. Just a quick note…when I clicked on the link I ended up in an active account for someone called Adam of Chester Hill. Any ideas?

  • I think there is a serious problem with their website… when I follow the product link, it automatically logs me in as a person from Sydney (I live in Bris).

  • It says "Max 2 units per transacton" but the coupon code currently only takes the discount off ONE ITEM ???

    Discount Coupon ($5.95 discount for Lexar 32GB Micro SDHC card) applied: -$5.95
    Sub-Total: —————————————————————————————- $143.95
    STANDARD POST (Carrier: eParcel/Registered Post/Courier (FREE SHIPPING)): $0.00
    Total: ———————————————————————————————- $143.95
    10% GST Included: —————————————————————————— $13.09

    Total Charged $143.95

  • +7

    "Your payment details are protected and encrypted by 256-bit SSL technology. Your privacy and security is guaranteed."

    I guess not. LOL!

  • Yeah I got logged in as being someone from Melbourne and then when I changed to a Sydney Postcode I also got Mr Chan's home address in Ryde and his work/study address in the city !!!
    I wonder if this is a dummy account or a real peron and a massive privacy breach???

  • I paid $90 for mine a few months ago… nice price.

  • it says SDHC is rated class 10 but what are the actual read/write speeds?

  • Damn, they have a Samsung 16g Ultra Backup USB Flash Drive for $25… damn

    Do you think i'd be safe checking out as a guest?

  • Also I'm pretty sure ITDevice is the same company as Shop-Xpress?

    http://www.shopxpress.com.au/live/

    EDIT: Yes they are, they're using the same ABN.

  • First, thank you for all who support us. Many of this item have been sold.

    Second, we are absolutely not leaking users information (see Point Third). All transaction data transferred is encrypted securely over Internet. Your password is encrypted even on our system and we ourself could not retrieve it. Your credit card, if you pay by CC, is not stored on our system at all (the transaction is done by the payment gateway provider).

    Third, there are two parts of the product link: absolute and relative.

    So when you click on this product, your unique URL will be:
    http://www.itdevice.com.au/live/product_info.php?products_id…

    This osCid is not supposed to be shared because when a person B enters the session of person A, he can 'see' what products person A purchases and can modify personal information of person A… Person A, of course, can see these changes made by person B too. In other words, when many people are on the same session, they are actually using the same account and every change made by one can be seen (and modify) by the others.

    Fourth, apparently when a Mod edited our post, he has pasted the whole URL on the browser which included his own unique osCid. So when some users clicked on this link to jump to our website, they were actually on the same session and because many started registering their accounts, other users could see the accounts created too.

    Fifth, this problem could be fixed by logging out of the system (if you were on others session) or simply use the absolute URL of this product:
    http://www.itdevice.com.au/live/product_info.php?products_id…

    Finally, we apologise for any inconvenience this might cause. Our technical team is looking into a solution to eliminate the osCid to prevent similar problems in the future. At the mean time, if you are keen on the product, please use the absolute URL to purchase it and be assured that your personal information is never leaked (yes, as long as you do not share your own osCid, which only exists for a while, with others).

    To MOD: Would you please change the direct link of this deal to the absolute URL of the product, and give us some explanation. Your attention is appreciated!

    Kind regards,
    IT Device

    • +2

      IT Device,

      Your credit card, if you pay by CC, is not stored on our system at all (the transaction is done by the payment gateway provider).

      Great that you do not store credit card details in plain text, but as long as I am able to access other user's information (name, address, phone number) without signing up or logging in, that is information leak.

      This osCid is not supposed to be shared

      If you don't mind me being honest, this is actually a bad design with major security flaws for any e-commerce websites. I say this because:

      • You can't expect your everyday users to be aware that osCsid aren't supposed to be shared. I consider myself quite informed in Internet security, but even I didn't take notice of the URL I was pasting contained session data (probably time of the day contributed to that too). Most users would just copy-n-paste the entire URL to share.
      • The session ID may be picked up by search engine crawlers, e.g. here. Consequence of this? Common users clicking on the search link may be sharing sessions when they sign up through that link.
      • Spammers/scammers would absolutely love knowing this security loophole to psfish for your user data. They just need to promote one of your items on some popular internet forum/website.

      Anyway, I have changed the link to the product URL minus the osCsid. But in your best interest, you would probably want to alert your web developers of this security flaw. Perhaps store the session ID as cookies instead?

      • Thank you for fixing the URL and especially your comments. It's much appreciated. I absolutely agree with you about the need of eliminating the osCid completely (it's the default configuration). I've asked the technical team to look into this and hopefully we can switch to new methods (cookies…) asap.

        • -3

          And until which time, you should shut-down your website immediately! You are now aware of the problem of your site easily leaking personal information and you must either shut the hole immediately or shut the site immediately. Anything else is against Australian Privacy Act.

        • +1

          @mouth
          The only way you'd get another osCid is from someone copying and pasting their URL with the osCid to another user. The link with the osCid has been removed, there's no need to shutdown an entire website.

  • +2

    Read the IT Device guy's post people.
    It only happened because someone posted their private session ID in the OzBargains link by accident and then everyone else started using it. It's like giving out your username and password, not strictly a problem with the site.
    Session IDs are quite common on a lot of site URLs so it's always a good idea to log out before cutting and pasting a link.

    • Session IDs are certainly common, but usually only when people have cookies disabled. You should never be able to take a session ID and access someone elses details without the site doing some sort of sanity check (usually against a hashed cookie value).

      I would never use a site with a security vulnerability this large.

  • +1

    agreed..
    A website setup this way should not be 'shutdown' because users have given out their usernames and passwords.

  • +2

    Assuming you're using a newer oscommerce build where sessions and cookies actually work correctly you can just turn on the 'force cookie usage' option in the backend. I don't remember if that'll remove the session id appends to the URLs from tep_href_link() but its a much better start security wise.

    Its a relatively easy job to rid the code of sessions in URLs completely, and bear in mind cookies are still open to exactly the same kind of problem (XSS/Cookie Theft) its just less visible and 1 user giving another a link with a valid session id can't happen at least.

    Good luck with it.

    • Thank you for your information. It's appreciated. I've relayed it to the technical team for them to look into it.

Login or Join to leave a comment