Cart checkout form

[kananga]

Something that came up while using the kitelife checkout form just now:

I wasn't logged in to the root url of the cart checkout, kitelife.com/forum, so the checkout process was directed to the account signup form. My actual signup info was returned, populated in this form, including address, username, and password. This is concerning, being identifying info, and because ideally stored passwords shouldn't be retrievable. The password is displayed in html with type="password", which displays password characters as dots or asterisks. The characters are easily read by editing the html (right click the pw textbox, inspect, delete the [type="password"] argument). I deleted browser cookies, history, form fill data - the works, tried again, and got the same results, which rules out browser form fill and accidental session persistence. It's not related to google or facebook login recognition, I tested both of these in incognito.

[John Barresi]

Very peculiar, first I’ve heard of any such issue - with no screen shot (sent to me privately) or way to replicate the issue, there’s no way for me to diagnose it.


Sent from my iPhone using KiteLife mobile app