HomeBlogsWebmaster Tips's blog

Why VistaPrint Is Creepy

Tags:
2008, March 12 - 11:48am — Webmaster Tips
UPDATE: It looks like might be done with Flash cookies - a technique of bypassing a browser user's "clear cookies" preferences. More about Flash cookies here:
"Bypassing user intent like this is scummy, plain & simple."

I agree with that statement.

I followed up this post with a page about Flash cookies.

(For a complete list of updates and comments, please scroll down.)

I went to buy some business cards on Visatprint.com and noticed very weird behavior from the site.

Even though I had logged out, cleared cookies since my last visit to Vistaprint, my name would appear on the home page of the site whenever I visited it.

Here is a screenshot of the home page, with a key to the numbers:

  1. My name appearing on the home page of vistaprint.com without my logging in.
  2. My saved password filled into the box by Firefox
  3. My saved business card designs displayed on the home page of Vistaprint without my having logged in. Cookies had been cleared several times since last logging in.

vistaprint-homepage.png

I think that Vistaprint.com might be using AJAX to grab my password out of the autofilled form and logging me in without my permission. I'm trying to think of another way that they could recognize my visits, but I can't think of one.

I don't like that a site is displaying my confidential information on their homepage without my permission (i.e., pressing the "Sign in" button). I'm not sure if it's a security risk, but it's creepy. It's a violation of the user's password data.

I tried loading the home page in a browser that didn't have my password saved, and Vistaprint didn't display my confidential data on its home page.

I contacted them through their contact form but never heard back, so now I'm posting my question online. Why is VistaPrint displaying my confidential information on their homepage without my logging in?

UPDATE: It doesn't look like AJAX, and I'm not sure how they are doing it. (16 March 2008)

The point is not whether it is AJAX or not. It's that the site is showing personal data that should only be visible behind a login page.

UPDATE: From the comments below it looks like they may be spying on your computer with Flash cookies. Regular cookies are easily removed, but using Flash cookies gives visitors no easy way to clear their saved data.

Some of the comments below appear to be from VistaPrint, but they have not openly responded.

No votes yet

Did you find this post helpful? Leave a comment below, and subscribe to my RSS feed.

Comments

2008, March 13 - 12:04pm — Anonymous (not verified)

Did you try clearing the autofill data?

that would tell u if its a ajax request

i saw this the other day 2 but i couldnt figure it out, but i couldnt see any ajax going on

2008, March 13 - 9:40pm — Webmaster Tips
Webmaster Tips's picture

VistaPrint AJAX

I don't want to clear the passwords out of my browser's history. But I've used another browser on the same computer at the same time and wasn't shown my personal data on the home page.

I'm not sure how they are doing it, but when you visit the site you can see they are doing sophisticated user targeting in the URL parameters.

VistaPrint seems to have been reading this page today so maybe they will reply with an answer.

2008, March 14 - 8:14am — Anonymous (not verified)

try running firebug

i just ran firebug and it didnt see any ajax calls. i cleared my passwords and it still knew who i was. weird

2008, March 14 - 10:33pm — Anonymous (not verified)

* Isn't #2 a feature of

* Isn't #2 a feature of FireFoxe that it remembers your passwords?
* What version of FireFoxe are you using?
** Don't newer versions of the Foxe allow you to delete a the password for a single site?

2008, March 15 - 11:24pm — Webmaster Tips
Webmaster Tips's picture

AJAX and VistaPrint.com

I cleared that password from Firefox and also tried using a different Firefox Profile. VistaPrint still showed my information on its home page.

When I used Konqueror it told me that my browser was incompatible with VistaPrint.com.

When I fired up Galeon, it recognized me.

However, when I used Internet Explorer 6 it didn't recognize me.

It shows a lack of respect for the visitor's privacy. What if I were letting someone borrow my laptop and didn't want them to see my business cards? It breaks my trust that sites will keep my personal data securely behind a login form.

It appears that they are reading this page, but I haven't heard back from them. (Unless the comments above are from someone from VistaPrint who drove over to Cambridge.)

2008, March 17 - 9:53pm — Anonymous (not verified)

Flash cookies.

Flash cookies.

2008, March 17 - 11:11pm — Webmaster Tips
Webmaster Tips's picture

Flash Cookies

Thanks for the heads up. I'm not a Flash user and didn't know they weren't cleared when you clear your browser settings.

That is terrible. I am going to follow this up with a few more articles once I've researched it a bit more.

Syndicate content