Thread.com great usability, terrible security

Posted on by Stuart Gallemore

Here at nameless we are all impressed with the nice usability, simplicity and original concept of thread.com. Although not all of us are keen on the clothing!

The site lets you register with some personal details about your fashion likes. Next a personal stylist sends you clothing suggestions which you can choose to “try on”.

The lovely part of it is the registration process. You are never hassled with remembering your password. You get emails, and when you follow a link you are logged in, no hassle at all. Its just like the site knows exactly who you are when it sees you.

As usability experts, this is extremely attractive! The alternative is passwords, password reminders and email validations. These are all horrible barriers that users must jump over to maintain their account security.

Enlightened by this wonderful approach we decided to look into how they did it, and we made a bit of a horrible discovery.

I got Neil to email me a link to his outfits (as sent to him by thread.com). And yes, it logged me in as him straight away.

I went to his account details and changed the delivery address to the office. I added a shirt to the shopping card (this stressed Neil considerably as he was not keen on the shirt). With his stored credit card details, from previous purchases, I went right up to the point of purchase.

Neil was rightfully freaked out that a simple link can give anyone access to buy clothing on his credit card and then sent to any address.

In mind of this he attempted to remove his stored credit card details. There is no obvious way to do this, they can only be updated and not removed. Unfortunately you can only update them to a new valid credit card. (Even using valid test credit card numbers fails as the site attempts a credit check on the card to see if it will be declined or not)

So when you get those thread.com links, don’t send them to your friends, and definitely do not publish them.

We have informed thread.com, and, with a sigh, we realise there is still no nice way to avoid some form of validation security.

Posted in Blog

2 thoughts on “Thread.com great usability, terrible security

  1. Serious security flaw! Lets hope that respond to Neils feedback and sort that one out.

  2. They did respond, apparently they consider that its safe because no one should have access to your email, if they do you have worse problems. However I’m waiting for someone to tweet a link to their suggested outfits and get totally 0wn3d.

Comments are closed.