[Camaro_Fuzion]

Is this website legit or a scam? The website appears to be a GM parts portal to dealerships. The site looks like a directory of nation wide GM dealerships to search from without ordering anything directly from their website.

http://oemcats.com/

[tenargo57]

No SSL cert = avoid even visiting, let alone buying from

[2SS Capt]

Quote:

Originally Posted by tenargo57

No SSL cert = avoid even visiting, let alone buying from

THIS X 1,000,000,000!!!

AVOID! AVOID! AVOID!!!

[arpad_m]

You guys are jumping the paranoia gun a bit. They do have a cert, it's just for a different domain, so maybe their sysadmin isn't top shelf, but their parts data looks legit.

So, while I wouldn't purchase directly from this site due to no traffic encryption, IMO it's perfectly usable for "routing", price comparison, price histories etc.

[Camaro_Fuzion]

Quote:

Originally Posted by arpad_m

You guys are jumping the paranoia gun a bit. They do have a cert, it's just for a different domain, so maybe their sysadmin isn't top shelf, but their parts data looks legit.

So, while I wouldn't purchase directly from this site due to no traffic encryption, IMO it's perfectly usable for "routing", price comparison, price histories etc.

That's the perfect answer, as there is no payment gateway directly on that site.

[GXP08jrf]

I've been directed to that site and it was helpful to understand local dealerships that had public-facing parts portals. I then purchased directly from the local dealership parts website with ship-to-store (if offered) to avoid the shipping costs. The dealer sites kill you on the ship-to-home cost even if the part price is unbeatable.

Now I just use parts.gmparts.com which is the gm corporate parts portal (do an internet search for "GM Genuine Parts"). Within the portal you order directly from a local dealership (whichever one you select) and have it shipped to their facility for free pick-up at their parts counter after it arrives from the warehouse. You'll also be able to compare pricing among local dealerships based in zip code for the best price: Some offer the parts at retail, others discount them near cost. You don't need to go into a whole bunch of dealer parts sites and figure out the best price+shipping anymore or what dealership they are. I've purchased through the portal from various dealer franchises without issue (at least no more so than any other online transaction). You can order any gm brand part through any gm brand dealership: no need to be concerned that the logos on the part and the dealership match. Just yesterday I picked up Buick parts I ordered on the site from a Chevy dealer because they had the best price (and were close), no issues, I put in a 2nd order this morning.

Communication from the system is good: Typical "order is placed," "order is shipped" and "order is ready for pick-up" emails. Surprisingly user friendly for a gm website...

[Camaro_Fuzion]

Quote:

Originally Posted by GXP08jrf

I've been directed to that site and it was helpful to understand local dealerships that had public-facing parts portals. I then purchased directly from the local dealership parts website with ship-to-store (if offered) to avoid the shipping costs. The dealer sites kill you on the ship-to-home cost even if the part price is unbeatable.

Now I just use parts.gmparts.com which is the gm corporate parts portal (do an internet search for "GM Genuine Parts"). Within the portal you order directly from a local dealership (whichever one you select) and have it shipped to their facility for free pick-up at their parts counter after it arrives from the warehouse. You'll also be able to compare pricing among local dealerships based in zip code for the best price: Some offer the parts at retail, others discount them near cost. You don't need to go into a whole bunch of dealer parts sites and figure out the best price+shipping anymore or what dealership they are. I've purchased through the portal from various dealer franchises without issue (at least no more so than any other online transaction). You can order any gm brand part through any gm brand dealership: no need to be concerned that the logos on the part and the dealership match. Just yesterday I picked up Buick parts I ordered on the site from a Chevy dealer because they had the best price (and were close), no issues, I put in a 2nd order this morning.

Communication from the system is good: Typical "order is placed," "order is shipped" and "order is ready for pick-up" emails. Surprisingly user friendly for a gm website...

Damn good info here guys!

[Camaro_Fuzion]

Also, check out this website for anything GM parts related.

https://parts-catalog.acdelco.com/acesCat.php

[tenargo57]

Quote:

Originally Posted by arpad_m

You guys are jumping the paranoia gun a bit. They do have a cert, it's just for a different domain, so maybe their sysadmin isn't top shelf, but their parts data looks legit.
.

No, we're not, and as a software engineer I'll just say this is a dangerous thing to downplay, and without knowing your background, naive sounding. It's already been 24 hours since this post was created and the cert is still invalid. At best it indicates they don't value security. SSL certificate issuing is basically automated at this point, and if you're self signing letsencrypt makes it dead simple and completely free. And in the worst case they could either be blatant scammers trying to spoof a certificate, or complete amateurs who don't even realize mistakes being made like storing passwords in plaintext or logging requests that contain sensitive data like credit card info.


This is like the equivalent of seeing a credit card scanner at a gas pump that jiggles and has a broken security seal and using it anyway.

[arpad_m]

Quote:

Originally Posted by tenargo57

No, we're not, and as a software engineer I'll just say this is a dangerous thing to downplay, and without knowing your background, naive sounding. It's already been 24 hours since this post was created and the cert is still invalid. At best it indicates they don't value security. SSL certificate issuing is basically automated at this point, and if you're self signing letsencrypt makes it dead simple and completely free. And in the worst case they could either be blatant scammers trying to spoof a certificate, or complete amateurs who don't even realize mistakes being made like storing passwords in plaintext or logging requests that contain sensitive data like credit card info.


This is like the equivalent of seeing a credit card scanner at a gas pump that jiggles and has a broken security seal and using it anyway.

Well, since you called me out, no, this isn't naivete. I visited that site (safely) and indeed their SSL certificate is for a different domain, but the level of exposure also depends on user inputs and activity.

There is always the possibility of an exploit targeting a zero day browser security vulnerability, of course, but this applies to every site, and to me a bad/expired SSL certificate is typically more indicative of sloppiness than malicious intent---as you said, it's so easy to fix that if I were running a scam op via that site, I certainly wouldn't be as stupid as to raise such a simple red flag.

The credit card reader analogy is not adequate either, because the station is guaranteed to obtain my credit card data and I have no way of verifying what its backend does with it. In this case, however, the recommendation was to enter absolutely zero information, personal or financial, into the site, but use it as a data source for parts catalogs, pricing history and dealership routing.

Even if this site tried to scam people, if we don't enter sensitive info into it, the only data it can gather is my IP address (that is not actually mine but whatever my VPN supplies) and cookies/local storage, but even that if and only if my browser is already compromised or has an exploitable vulnerability.

(I will say that I do not work in the field of cybersecurity, if you want to attack that, have at it )

[david_acm]

It is precisely because Let's Encrypt makes it so simple to get an SSL certificate that you shouldn't trust a site's legitimacy based on the the fact that they have a valid cert (or not).

Brian Krebs reported on this back in 2018!

Half of all Phishing Sites Now Have the Padlock
https://krebsonsecurity.com/2018/11/...e-the-padlock/

[tenargo57]

Quote:

Originally Posted by arpad_m

Well, since you called me out, no, this isn't naivete. I visited that site (safely) and indeed their SSL certificate is for a different domain, but the level of exposure also depends on user inputs and activity.


(I will say that I do not work in the field of cybersecurity, if you want to attack that, have at it )

Come on, don't act like any worthwhile cyber security professional would condone an invalid SSL cert while selling products online.

[arpad_m]

Quote:

Originally Posted by tenargo57

Come on, don't act like any worthwhile cyber security professional would condone an invalid SSL cert while selling products online.

Sure, the owners of the site suck and there is no real excuse for this in 2023, no question about that. My point was that we can still extract very useful information out of their pages at a very reasonable risk level.

[tenargo57]

Quote:

Originally Posted by arpad_m

Sure, the owners of the site suck and there is no real excuse for this in 2023, no question about that. My point was that we can still extract very useful information out of their pages at a very reasonable risk level.

Gotcha, that makes sense