It has been a long time coming but the independent but officially recognised store for all things Sonic Merchandise related, SonicMerchandise.Com, has after a couple of false starts opened its doors officially to the public. The site, available in several languages and stocking everything from toys and keychains through to other licenced items from Tomy and Insert Coin looks very good and its nice to say that there IS a place where you can go for such things. They are also implementing some form of reward scheme.
Before you start jumping for joy however, a note of caution as this is where we at SW last night (as we alluded to on Twitter) had to stop being pleased and instead raised our palm in the direction of our face. Because SonicMerchandise.com have made what is, ironically, a very traditional SEGA mistake whilst setting up their site.
At the time of writing the backend file tree is accessible, viewable and navigable.
Now, this is frankly so basic – especially for a website that handles money – that it somewhat beggars belief. Regardless, there are presently no privacy settings on the directory listing and you can have a nose around in the backend, in the admin set up folders… heck there’s even an (albeit empty) install folder still there on the home directory. I’m not saying that all their financial transactions are available for view, I’m just saying that if someone wanted to hack it to bits they can get a damn good idea of how to go about it.
Things like that don’t exactly breed confidence and I certainly won’t be handing over any card or personal details until such fundamentals are addressed and covered.
And we recommend you don’t yet either.