Just last week we found out someone is bringing big guns to a fight, as Stuff told us Neil Graham was starting an online marketplace business to compete with the one and only Trade Me.
The new web site, called Wheedle wasn't ready for prime time yet when it was first mentioned online and after a few hours of hiccups it was taken offline until its official launch date, 1st October 2012.
In the brief moments the site was up (and down) Geekzone members started reporting some of the bugs around the site (and here as well). The discussion listed simple things such as listings showing completely unrelated images, to a bit more disturbing problem: pages showing someone else's user names and information.
It is great to see since then the mixed up identities problem seems to have been fixed, but other things popped up.
Right now I can imagine some Trade Me folks talking around a whiteboard:
- Tech Guy: We have a problem with Wheedle.
- Non-Tech Manager: Sure, it's a worthy competitor, backed by someone with deep pockets to go for the long run.
- Tech Guy: Not that, but. . . They store their password in plain text, instead of encrypting it before storing in the database.
- Non-Tech Manager: How do you know this?
- Tech Guy: I registered there and just clicked the "Forgot my password". The email came with my password instead of link to reset it. It tells me the password is stored in plain-text.
- Non-Tech Manager: So? That's their problem. If someone finds a vulnerability and manage to download database contents from their server it's their breach of privacy, not ours.
- Tech Guy: Sure. But reports tells us a good number of people reuse the username and passwords in more than one site.
- Non-Tech Manager: Are you saying if someone used their same Trade Me email or username and password to register on Wheedle then a bad guy in [insert country with lots of bad guys here] could try those on Trade Me and in some cases actually gain access to accounts?
- Tech Guy: Hmmmm, yes.
- Non-Tech Manager: Holy shit, Batman!
We can use another scenario: there is something for sale on Trade Me, and armed with a third party list of valid emails addresses for the buyer a scammer could send out an email pretending to be the seller on Trade Me, saying something like "the item didn't sell, I can offer to you very cheap" and then get the unsuspecting buyer to deposit the payment into someone else's account for laundering.
You might say no one would fall for that. Think again. People fall for simple scams all the time.
I don't know what security they have implemented server-side, but sanitizing input data on the client side is no way to go on life:
If this is done on the client side only, then anyone with interest could easily craft a local page to bypass this weak strategy and send something malicious to the server, potentially gaining access to information stored there through SQL Injections.
The question that popped in my mind was "how long before Trade Me" forces people logging into their site to change their passwords?". Simply put, any third party vulnerability can affect Trade Me as an unintended consequence.
What can you do?
- If you are planning to register on any other site make sure you use a different email address, user name and password.
- If you already registered on any other site then go there now and change your email address and password.
Just do one of those two things and you will be a lot safer.
And for those on Twitter who said we shouldn't be criticising newcomers. I'm happy to support a new online marketplace in New Zealand but security should be part of design since Day 0. I hope this is something for them to consider, and good luck the days ahead.
Other related posts:
Google crawling Geekzone HTTPS
Geekzone gone full HTTPS
Google Chrome cache performance
comments powered by Disqus