Site Update: Site mascot ►

◄ UK now arresting and mobbing people for tasteless jokes

2012-03-31 📌 Warning: eBay Basket can leave you with duplicate orders and payments

Tags All Tech Personal

I've decided to get back into model painting. It's something I did as a kid, thanks in large part to the existence of HeroQuest, although my mom ended up doing most of the pieces that were actually any good since patience and my knowledge of techniques such as washes and drybrushing were (more) lacking when I was at primary school. Looking in Games Workshop recently, it's obvious that they're not only charging more per pot than other companies for paint (£2.30) but that you're getting about 30% less (12ml) for that.

So, it was over to eBay and lots of people selling the Vallejo range of 17ml modelling acrylics (plus mediums, glazes and liquid putty) at under £2 delivered, and the first order of 18 pots from a specific seller went fine. It's good stuff — the pots have a dropper to control how much goes onto the palette, and the coverage on a properly primed surface is very smooth. After a theraputic night touching up details on some models and applying base coats to others, I went back to fill in some gaps in the colour range I'd got and to buy various other odds and sods that will hopefully be useful; a detail brush that might not separate the way the one I bought from Games Workshop has, polystyrene cement, superglue, transfers, PVA, sand, etc.

eBay Basket is supposedly a time-saving mechanism designed to encourage buyers to treat the glorified auction site as a store. Except when I went to pay for my items, it first told me that I couldn't pay for everything in one go, then after the PayPal screens it told me there were still some unpaid and presented a link back to the basket. Clicking through the prompts led to, I discovered when the payment confirmation emails came through, the entire order being duplicated. In fact, although eBay call it a single order, it's ten separate orders with ten different sellers.

It's a basic principle of online shopping cart systems that items that have been paid for are removed from the cart or basket after payment. They weren't. eBay wants to be treated as a store rather than a middle-man for hundreds of thousands of sellers. It isn't. Not only have they failed with the basic concept of clearing a basket after payment, there's no way to cancel an order except sending messages to each and every seller.

Amazon does know how to do things properly, and on their site individual items can easily be cancelled during the grace period between an order being placed and goods being processed for mailing out. Given that I was ordering in the early hours of the morning, processing wasn't likely to have to started... but eBay pays no attention to the other side of the e-commerce process. eBay, truth be told, is probably hoping that buyers won't actually cancel, meaning that it gets more fees... and it knows that if there's any comeback that most buyers will blame eBay's real customers: the luckless sods selling on their site.

I'm not alone. Comments from the sellers I've heard back from so far include "you're about the third person this week with the same problem" and "we have noticed that if buyers use iPads or iPhones, this does happen quite a lot". At least one familiar-sounding case I've seen involved more inconvenience;

I was using a desktop system with a current browser. I wouldn't be surprised if eBay hadn't tested with Chrome, or with tablets, or with anything other than Internet Explorer, because they're a company that finds it acceptable to roll out site "enhancements" to randomly selected users, something that causes no end of problems for people whose IT support is family or friends at the other end of a phone.

However, to go back to what I was saying earlier, it's not it shouldn't be a browser problem. In any sane shopping cart system, the basket contents are held in a session on the server and cleared once payment is made. eBay is failing to do this, telling people that payment for items hasn't been made, and sending them back to a basket that if paid will result in a duplicate order and duplicate payment.

For the people who've had accounts put into the red by this, legal action may be warranted. For the probable thousands of individuals like me with relatively small orders, who are having to deal with dozens of order cancellations or returns individually, and the sellers at the sharp end, it wouldn't be unreasonable to make the point of billing eBay for the time wasted. They'll weasel out of it, of course, but it never hurts if when making a complaint you can waste someone else's admin resources for little investment yourself.

Also, many of the people you deal with on eBay have websites of their own where they aren't losing an increasing proportion of each sale price for the convenience of advertising on a virtual monopoly. If you have a good experience with someone, deal direct next time. Target the deceptive, incompetent bastards who who want to be "your shopping universe" where it counts, and wherever possible use them for product research rather than actually buying.

Update, 2012-04-07:

They are. They're keeping basket contents client-side in a cookie. So not only do you get increased potential for a terrible shopping experience like above, you can't build a basket on one machine (eg, at work, or on a mobile device) and continue later on another. Although it can store contents for more than one eBay account, if that person clears browser cookies you've both lost your basket contents. And even when you're signed out of eBay anyone with access to your machine can read and modify the contents of your basket, and any vulnerability in a browser that permits reading of cookies will similarly give access to this information.

For reference, the cookie identifier is dp1, and you can easily follow how this works by logging into an incognito browser session in Chrome and copying the contents of dp1 for a regular session over into the private one using the Edit This Cookie extension. It also appears to store your first name (and who knows what else eBay are inclined to store client-side?) for use with site personalisation features.

This is monumentally stupid, at odds with how industry-leading sites operate... and is it really a good idea to trust information to people with such little grasp of security?

Update, 2014-08-25:

It really isn't. Earlier in 2014, as the BBC put it, eBay was "facing questions over its handling of a hack attack that exposed millions of passwords and other data". Stupid, stupid fuckers.