TMZ reported yesterday about a grill featured on Sears’ website under “Human Cooking > Grills to Cook Babies and More > Body Part Roaster”, and they produced the following image as proof:
According to reddit user gfixler, who claims responsibility for the prank, he’s been able to make these sorts of modifications to the breadcrumb trail on sears.com “all year.”
Here’s another example:
As explained by reddit user immerc, this was done by simply changing the parameters in the URL of the page being viewed and then resubmitting it. Sears was extracting the breadcrumb text directly from the URL without any validation. Furthermore, the site cached the page associated with the item, so the user-generated breadcrumb remained visible to other users for some nontrivial period of time.
Sears has since fixed the flaw, and hopefully learned its lesson about sanitizing anything that might come from a user.
Thanks to Alex B. for the tip.