About Snapdeal.com -
Snapdeal.com is India's 3rd most popular e-retailer. As per alexa.com it is 166th most visited site this month in the World and 13th most visited in India.
Introduction -
For such a big draw, the portal has surprisingly lack of concern for its customers' privacy. Being a victim of this recently, I have come to the following conclusions which will be discussed in detail in this post:
a) Snapdeal doesn't understand privacy.
b) Its guest shopping method is detrimental in more than one way to customers and innocent bystanders.
c) It doesn't have any mechanism to fix this flaw when brought to its knowledge. Its customer care rather pooh-poohs the mistake.
d) What more can be wrong with its identity management process.
Lets look at them in detail.
Snapdeal doesn't understand privacy -
An important aspect of identity management should be privacy management. All sorts of user authentication protocols should exist when you are trying to become a major player in the market. Your development team should have atleast a group focused on privacy. The protocols for users login etc should be designed with privacy as a major concern. Your marketing or user engagement teams shouldn't dictate terms. Your security team should. Eventually if you grow big you would be an ashley madison waiting to happen otherwise.
The title of this section is not my diatribe against snapdeal. It is just a small observation and an experience which I wouldn't want others to suffer.
Recently I received an email on my gmail account saying Hello <not my name>, Thank you for purchasing a pair of ladies slippers for Rs 200 from snapdeal.com with <not my mobile number> at address<not my address>. I din't have any account on snapdeal and even if I did, I hadn't ordered ladies slipper.
So doing the next logical step I opened snapdeal.com and logged in using the email id i had received the email to. You would be wondering how did I do that? Well they have nice google+ buttons to login with.
I was in the account and i could see the slipper was indeed ordered. Next logical thing was to cancel it which I did and received the 200 Rs in my account. I wished the guy had ordered something costly for his wife.
Being the gentleman I am, I immediately wrote to the snapdeal customer care informing this had happened and I hadn't out of decency used the 200 Rs snap cash they had given to me. By the way I had received a ccavenue email too regarding the purchase with some details about his purchase. Very very interesting!!
The response I got left me flabbergasted. This is their email:
Hi Sanjay,
Greetings from Snapdeal!
Please accept our apology for the inconvenience you have experienced.
We understand your concern regarding your email ID being used for placing an order with us. We would like to inform you that someone might have used the same mistakenly while placing the order. As a facility for customers, anybody can place the order without creating account on our website.
However, if you want we can unsubscribe your email address from Snapdeal newsletters.
We regret the inconvenience experienced by you.
Snapdeal.com is India's 3rd most popular e-retailer. As per alexa.com it is 166th most visited site this month in the World and 13th most visited in India.
Introduction -
For such a big draw, the portal has surprisingly lack of concern for its customers' privacy. Being a victim of this recently, I have come to the following conclusions which will be discussed in detail in this post:
a) Snapdeal doesn't understand privacy.
b) Its guest shopping method is detrimental in more than one way to customers and innocent bystanders.
c) It doesn't have any mechanism to fix this flaw when brought to its knowledge. Its customer care rather pooh-poohs the mistake.
d) What more can be wrong with its identity management process.
Lets look at them in detail.
Snapdeal doesn't understand privacy -
An important aspect of identity management should be privacy management. All sorts of user authentication protocols should exist when you are trying to become a major player in the market. Your development team should have atleast a group focused on privacy. The protocols for users login etc should be designed with privacy as a major concern. Your marketing or user engagement teams shouldn't dictate terms. Your security team should. Eventually if you grow big you would be an ashley madison waiting to happen otherwise.
The title of this section is not my diatribe against snapdeal. It is just a small observation and an experience which I wouldn't want others to suffer.
Recently I received an email on my gmail account saying Hello <not my name>, Thank you for purchasing a pair of ladies slippers for Rs 200 from snapdeal.com with <not my mobile number> at address<not my address>. I din't have any account on snapdeal and even if I did, I hadn't ordered ladies slipper.
So doing the next logical step I opened snapdeal.com and logged in using the email id i had received the email to. You would be wondering how did I do that? Well they have nice google+ buttons to login with.
I was in the account and i could see the slipper was indeed ordered. Next logical thing was to cancel it which I did and received the 200 Rs in my account. I wished the guy had ordered something costly for his wife.
Being the gentleman I am, I immediately wrote to the snapdeal customer care informing this had happened and I hadn't out of decency used the 200 Rs snap cash they had given to me. By the way I had received a ccavenue email too regarding the purchase with some details about his purchase. Very very interesting!!
The response I got left me flabbergasted. This is their email:
Hi Sanjay,
Greetings from Snapdeal!
Please accept our apology for the inconvenience you have experienced.
We understand your concern regarding your email ID being used for placing an order with us. We would like to inform you that someone might have used the same mistakenly while placing the order. As a facility for customers, anybody can place the order without creating account on our website.
However, if you want we can unsubscribe your email address from Snapdeal newsletters.
We regret the inconvenience experienced by you.
In case of any further assistance or clarification on this issue, please reply to this email.
Assuring you of our best services always.
Yours Sincerely,
Team Snapdeal
This is height of stupidity what the call "Facility". The next section will give your two scenarios how this is SOOOOOO against user privacy.
More than 1 way to cause harm Snapdeal User login process :
First way you have already seen is, since snapdeal can let its user make 'mistakes' they can end up giving their personal information to unknown strangers just like me. I know the man's phone number, address, his wife's foot size and yes some bank details (thanks ccavenue). On top of it I also have the capability to cancel his order and buy something with HIS cash. I didn't do it but I could have and someone will, not many saints nowadays you know.
On my repeated emailing I received the same standard response as mentioned above from snapdeal. I even tried explaining to them how detrimental it is to user privacy. Still the same response.
On my each email they were un-cancelling the order though. Eventually they disabled the cancel ability from my user account. WTF !! Yes that was there response. To cancel the cancelling ability from your account. They can remove the ability to cancel the product you order from your account.
This is crazy to say the least. But being dumb as they were they didn't cancel my return product facility. Thanks for that now the gentlemen will have a visit from courier guy to collect the slipper.I know i can contact that guy using my email but I want to keep playing this game as long as snapdeal is ready to be stupid.
Second way is how I can exploit this flaw:
Lets say I have a colleague called Mr. X who I don't like and I know his wife Mrs X. is the suspicious kind. One fine evening I login to snapdeal.com and order a pair of nice lingerie at a hotel address and with Mr. X's name and email id. I do it while Mr. X is on his way home. Lets say Mrs X gets hold of his gmail account some how (I said she is not of the trusting kind) she sees this email from snapdeal with a purchase of a lingerie most certainly not for her giant size but a petite lass. All hell will break loose in their house. Not to mention constant ads Mr. X will get on his google ads because he purchased lingerie hahahah (google tracks your email ad words hehe).
This is cruel and snapdeal enables it. This is from my side _|_ .
They don't have any mechanism to fix this flaw as of now-
On my repeated cancelling of order and sending them mail which each gave me the standard reply above mentioned , they removed my cancelling order ability. This is seriously dumb. Snapdeal developers if you can't think of a privacy proof process, it is no harm to learn from your peers like amazon and flipkart. They don't let you by things without verifying accounts if you are using accounts.
Your customer care used standard reply everytime shows that a) this happens a lot and b) to your customer care that is the correct response to it.
What more can be wrong with its identity management process -
I am now fearful of ordering anything on snapdeal.com. I am unsure how many such flaws exist in the system which is not seen by the user. They can cancel my order cancelling ability. They can probably see my credit card details , order on my behalf and what not.
I hope someone from snapdeal engineering team reads this( they don't keep books on their site so may be reading ain't there forte). I may be wrong in some places but I am absolutely sure I don't want my email as identity of someone else.