Ok, given that the auction is over, I've had multiple requests for the information and the knowledge that Hunt is apparently fixing the problem, I'm going to pull back the curtain and show people what happened. Another reason I'm doing this now is because Hunt appears to have fixed the problem because I can no longer replicate what I was able to do on Wednesday night. If anyone disagrees, let me know.
A couple of weeks ago, I bookmarked the following URL because I could not figure out how to easily see the items I had bid on and their current status:
http://www.huntauctions.com/phone/re...bidder_id=####
The "####" at the end was my bidder ID. After bookmarking this, I could view the page from other computers and did not need to log into see my bid status. On Wednesday night, it finally dawned on me that it was very strange that I could see my information without logging in.
I looked at the URL and simply changed the #### to another number. Bam. There there was another bidder's name, address, email, phone and list of bids. The bids included not just their current bid, but also their max bid.
It didn't take too long to determine the highest bidder ID number and then work backwards. I'm not a computer guy, but I suspect your local high school has dozens of kids that could design a simple program to plug in all possible #### combinations and save the bid information. That would probably give you a full list of every bid made to that point. Obviously, that would not be a good thing.
Now that you see how easy it is, I am confident you will agree that it is unlikely that I am the first person to discover this flaw. I hope that no one used this to disadvantage other bidders. I further hope that Hunt will use this publicity as an opportunity to upgrade their website design. In fact, it was the lousy design that caused me to bookmark the page in the first place, thus leading me to my discovery.
Does this all make sense?
ajw