ATTENTION: Belle and Clive / Bluefly Shoppers - BEWARE

[jeune_fille]

Hi Belle and Clive and BlueFly shoppers,

Beware of shopping in this site. When you try to login in their website, your password is not encrypted and you are being directed to a secure connection. I already raised this to their customer service yesterday but I haven't got any reply. Please help disseminate this information, as this is a security breach and all information including your credit card might be stolen.

If you don't believe me, do the following steps

1. Open a Firefox browser
2. Go to their website: www.belleandclive.com or bluefly.net
3. Right click your mouse and click 'Inspect Element'.
4. Click on the network Tab.
5. Login with your username and password: But for testing purpose DO NOT USE your password.
6. Find the url with the POST method in it and click it
7. You will see tabs on the right side... Click the 'Params' tab
8. Voila... you could see the actual password you typed.

To the admin: If you are reading this, kindly do some action and remove Bluefly or Belle and Clive to your suggested sites. They are selling bags that cost 15000 USD, and yet their site is not secure.

 

[CEC.LV4eva]

wow thanks for posting!

 

[jeune_fille]

You are welcome... Please help me disseminate this information.

 

[tatertot]

To the admin: If you are reading this, kindly do some action and remove Bluefly or Belle and Clive to your suggested sites. They are selling bags that cost 15000 USD, and yet their site is not secure.

They are famous for selling fakes as well and it has been documented here multiple times. I am not surprised at all they cut corners with their customer security. Any company that knowingly sells fakes repeatedly does not care for their consumers in the least, much less their information. Shame to hear they are dropping the ball yet again but in a whole new way, wish I could say I was surprised

 

[jeune_fille]

Unfortunately, I already bought 2 Prada shoes from them. They are authentic if you asked me (or at least based on guts and research. But security is a different issue, I wish someone would take action on this. By the way, they haven't replied on my email yet. So if you have an account with them, do not login until this issue is resolved.

 

[tatertot]

Unfortunately, I already bought 2 Prada shoes from them. They are authentic if you asked me (or at least based on guts and research. But security is a different issue, I wish someone would take action on this. By the way, they haven't replied on my email yet. So if you have an account with them, do not login until this issue is resolved.

They will likely not respond to you I'm sorry to say. They didn't bother to respond to most of the customers who received counterfeit merchandise either until charge-backs and such were pushed. They pay a company or have an IT department to handle their site so they are likely well aware already and/or use it as a way to cut corners hoping any IT competent user will not bother to check. Not all of their items are fake, just some but we are talking major high dollar items and at a high frequency. I'm glad to hear your shoes were both authentic, you are one of the lucky ones. If you do a search you will find tons of threads on their bad business practices.

 

[katran26]

I've only made one purchase on Bluefly- but seeing this made me email to delete my account. Thanks for posting!

 

[californiaCRUSH]

I've made several purchases on Bluefly, and so has my dad. Always been authentic and have no problems with security.

 

[jeune_fille]

The problem is, if there's a malicious user in your network, he might stole your unencrypted password and purchase on your behalf. This security measure is basic... Oh well, you'll never know until it happened to you. But I won't be buying on them again

 

[Bubach]

I am by no means an expert in Internet security and I'm using a different browser, but this sounds to me as a browser feature. When you type in the password in the box, you normally can't see what you typed because your browser hides it from you. However, you're browser must store this information somewhere (locally) before you hit the submit button. When you do that the password will be encrypted (or hashed) and transmitted.

I've never shopped on Bluefly, but I tried to make a request for login just now and sniffed the traffic while I did so (gosh, I have better things to do ) and no password was transmitted.
Also, if you try to make a checkout, they employ https which is known security protocol for transmitting sensitive data like bank details.

Just my two cents. I could be terribly wrong... And I have no idea about the authenticity of their stuff.

 

[jeune_fille]

I think most people here don't know what I am talking about :| Try the steps I did on my first post. We tried it with Google Chrome as well. If you tried logging in to netaporter.com they are not encrypting the password as well BUT, you will go through the https network which handles the encryption. It is not the case with BelleandClive, therefore if you login to a public network and someone tried to check the network traffic, they will see your password

 

[katran26]

I think most people here don't know what I am talking about :| Try the steps I did on my first post. We tried it with Google Chrome as well. If you tried logging in to netaporter.com they are not encrypting the password as well BUT, you will go through the https network which handles the encryption. It is not the case with BelleandClive, therefore if you login to a public network and someone tried to check the network traffic, they will see your password

I understand completely. I used to work with ensuring the security of websites. Given that they aren't encrypting their passwords, it's something to keep in mind if you're using the site at say, a public coffee shop and signing into free wifi, etc. I'm happy you posted this OP!!

 

[Bubach]

I think most people here don't know what I am talking about :| Try the steps I did on my first post.

I just did, and I still don't understand how can you tell that the data you see in HTTP POST request is not afterwards pushed through SSL/TLS or not? Granted, they could have encrypted or hashed the password field, but unless they used some salt-based technique, this would not preclude the man in the middle to replay your encrypted password. This is why SSL is used in the first place.

When I try to login to Bluefly I see Client/Server key exchange in Wireshark. And browser indicates that the connection is done via SSL. Same as in case of NAP.

I'm not trying to be a pest , I just don't see how is this site any different than other ones in terms of security protocols it uses.

 

[jeune_fille]

Hi Bubach,

In other sites, after you login, you could see in the url that you are being directed to an https secure connection. So whatever encryption software the e-commerce site is using, is the one responsible for encrypting the data (not just the password). In BelleAndClive or bluefly you could see in the url that 'This website does not supply identity information'

I could see it in NAP and Shopbop

 

[Bubach]

Hi Jeune,

Are you getting a triangle sign perhaps?
https://support.mozilla.org/en-US/k...onnection-is-secure?as=u&utm_source=inproduct

Because, all I see when I access my account is a green padlock (which is Firefox sign for secure connection). It could be that some of their scripts are buggy and encrypting data only partially. And you're right, depending on which data is being transmitted that way, it could be potentially
quite dangerous.