Public Track Your Order page shows customers personal details

A customers personal details are displayed on the ‘Track Your Order’ page which can be obtained using remote scripts to guess the Unique ID.

This contains the Customers Full Name, Shipping Address (usually their home address) and Phone Number.

The unique order_id is generated using the following which in itself provides an unique page to provide the customer with details of their order.

$order_id = substr(sha1(uniqid('')), rand(1, 24), 12);

Viewing the above code, it is possible to work out how may iterations you would need to obtain customer information by simply writing a script and constantly hitting the webserver (and yes 36520347436056580 is a very large number but obscurity should not be considered security as it can be likened to playing the lottery to gain personal information).

Would it be possible to include an option to switch the Shipping Details off (either with a filter, hook or in the admin screens)?

I currently have ‘Shipping Settings General Options’ set to ‘No Shipping’ and a customer is still asked for Shipping Details which is OK for gateway usage and ‘Manage Orders’ in the admin screen – but I would like to disable it from public view.

I have found the relevant place in template-functions.php (line 787 version 2.03) but really do not want to modify core files as they will be overwritten on an update.


EDIT: The above iteration calculation is wrong – for the curious, it should read a lower 281474976710656 iterations.