X

Business

Home Business Tech & Work

I tried to buy a sweater on H&M's site, Firefox told me to stop

You think all your favorite retail sites are secure? It appears they might not be.

Written by Chris Matyszczyk, Contributing Writer Sept. 23, 2018 at 5:00 a.m. PT

Featured

I tested Lenovo's dual-screen laptop and it improved my productivity in profound ways
Samsung Galaxy Book 4 Ultra review: Should Windows users consider anything else?
Nothing's new $99 earbuds are the most stylish ones I've tested (and almost perfect)
The most charming projector I've tested has now replaced my TV for movie nights

I used to have a shopping fetish.

It's a little better now, thank you.

Occasionally, though, late at night -- especially if it's been a torrid day -- I might be tempted to buy, you know, a pair of sneakers I don't need. Or a sweatshirt I definitely don't need.

And this time, H&M was begging me.

Also: Your love for Amazon won't be ruined by more sales taxes CNET

The retailer had send me a quaint little postcard that read: "Long time, no see!" It offered a 20 percent discount if I'd just please, please do a little shopping with the store online.

In the early days of H&M, when it was Swedish and strange, the store was a must. These days, it's ubiquitous and conventional, so I don't often visit.

This time I succumbed. I found a nice black sweater that I'd probably wear twice and proceeded to check out.

The site asked me to log in. I began the process and suddenly I heard a scream. Well, technically I saw one.

It was a message from Firefox: "The connection is insecure. Logins entered here could be compromised."

But I've logged in to the H&M site countless times and never seen this before. And, surely, the naive shopper might think these major retail sites wouldn't be so careless.

Also: The retail renaissance: Leading brands use data and AI to win

So, I didn't buy the sweater and asked Firefox's parent Mozilla what was going on.

Mozilla's fine engineers offered me this delightfully detailed reply:

If you go to the main site of this retailer https://hm.com/ without any cookies you'll get redirected to their country chooser at https://www.hm.com/entrance.ahtml?orguri=%2F. Most of the country-specific site links have a padlock icon next to them, and the US URL does have an https:// link. It looks like they know what they ought to be doing, but that https:// link. then redirects to insecure http: so the implementation is lacking. There is a tiny "sign in" link at the top that would be insecure.

This seemed like the height of carelessness. How could a major retail site have such a poor redirect?

How could its engineers not have spotted what seems like a blatant disregard for basic security?

Despite several attempts to contact H&M, I was unable to secure a response.

Most shoppers surely wouldn't have paid attention to whether there's a little padlock in their browser to show a site is secure. Perhaps not all browsers would have sent the sort of warning that I received from Firefox.

Also: Walmart's automated pickup stations highlight future of digital transformation in retail TechRepublic

Yet Mozilla's engineers dug further to see how this insecurity might have been avoided. They told me:

If you ignore that sign in and just add an item to the cart, when you go to checkout the site switches to the https:// version of the site for login. So they sort of get it, and our browser warning will protect people from using the insecure sign-in too early in the process.

Please, I'm shopping. I'm just trying to make H&M feel better about me not visiting it for a while. And now I have to go through these hoops, just so that my personal details aren't pilfered?

Mozilla's engineers offered me one final kink, one that made me not want to buy an H&M sweater again:

Of course if you sign in securely and then go back to shopping they're then sending the auth cookies unprotected so that's still insecure, but at least the eavesdropper could only reuse the cookies to get into your account for that session and wouldn't know the actual password.

Of course.

I wonder when H&M will send me its next hurt postcard.

15 companies you might not know are owned by Amazon (and one that got dumped for a huge loss)

Previous and related coverage:

Microsoft to apply its AI technologies to retail checkout

https://www.zdnet.com/article/microsoft-to-apply-its-ai-technologies-to-retail-checkout-report/Microsoft may be looking to get more involved in the checkout-free retail space, a market where Amazon has been making its mark as of late.

What is unattended retail and how does it work?

https://www.zdnet.com/video/what-is-unattended-retail-and-how-does-it-work/Maeve McKenna Duska, senior VP of marketing and strategic development at USA Technologies, discusses using AR and VR for self-service shopping.

Restaurants and retail snapping up automated kiosks

https://www.zdnet.com/video/automated-kiosks-are-the-future/A billion dollar industry is emerging to make checkout faster by removing human cashiers.

As mobile commerce grows, so do retailer challenges

https://www.zdnet.com/article/as-mobile-commerce-grows-so-do-retailer-challenges/While the smartphone shopping experience keeps improving, it trails the desktop experience on many metrics, according to Adobe data.

Is Apple Pay really accepted at 1-out-of-2 retailers? Not in the real world

https://www.zdnet.com/article/is-apple-pay-really-accepted-at-1-out-of-2-retailers-not-in-the-real-world/Apple claims that half of all retailers in the United States accept Apple Pay. While we couldn't visit all retailers, we did visit a random selection locally, which is a good reflection of what you might find. The results were not promising.

Editorial standards

Show Comments

Related

Is Temu legit? Everything to know before you place your first order

masked-image

I just watched a robot that protects your privacy and I'm mesmerized

The best secure browsers to protect your privacy online in 2024