My window to the world

Trade Me’s security problem: Wheedle

By Mauricio Freitas, in , posted: 1-Oct-2012 13:13

Just last week we found out someone is bringing big guns to a fight, as Stuff told us Neil Graham was starting an online marketplace business to compete with the one and only Trade Me.

The new web site, called Wheedle wasn't ready for prime time yet when it was first mentioned online and after a few hours of hiccups it was taken offline until its official launch date, 1st October 2012.

In the brief moments the site was up (and down) Geekzone members started reporting some of the bugs around the site (and here as well). The discussion listed simple things such as listings showing completely unrelated images, to a bit more disturbing problem: pages showing someone else's user names and information.

It is great to see since then the mixed up identities problem seems to have been fixed, but other things popped up.

Right now I can imagine some Trade Me folks talking around a whiteboard:

  • Tech Guy: We have a problem with Wheedle.
  • Non-Tech Manager: Sure, it's a worthy competitor, backed by someone with deep pockets to go for the long run.
  • Tech Guy: Not that, but. . . They store their password in plain text, instead of encrypting it before storing in the database.
  • Non-Tech Manager: How do you know this?
  • Tech Guy: I registered there and just clicked the "Forgot my password". The email came with my password instead of link to reset it. It tells me the password is stored in plain-text.
  • Non-Tech Manager: So? That's their problem. If someone finds a vulnerability and manage to download database contents from their server it's their breach of privacy, not ours.
  • Tech Guy: Sure. But reports tells us a good number of people reuse the username and passwords in more than one site.
  • Non-Tech Manager: Are you saying if someone used their same Trade Me email or username and password to register on Wheedle then a bad guy in [insert country with lots of bad guys here] could try those on Trade Me and in some cases actually gain access to accounts?
  • Tech Guy: Hmmmm, yes.
  • Non-Tech Manager: Holy shit, Batman!

We can use another scenario: there is something for sale on Trade Me, and armed with a third party list of valid emails addresses for the buyer a scammer could send out an email pretending to be the seller on Trade Me, saying something like "the item didn't sell, I can offer to you very cheap" and then get the unsuspecting buyer to deposit the payment into someone else's account for laundering.

You might say no one would fall for that. Think again. People fall for simple scams all the time.

I don't know what security they have implemented server-side, but sanitizing input data on the client side is no way to go on life:

If this is done on the client side only, then anyone with interest could easily craft a local page to bypass this weak strategy and send something malicious to the server, potentially gaining access to information stored there through SQL Injections.

The question that popped in my mind was "how long before Trade Me" forces people logging into their site to change their passwords?". Simply put, any third party vulnerability can affect Trade Me as an unintended consequence.

What can you do?

  1. If you are planning to register on any other site make sure you use a different email address, user name and password.
  2. If you already registered on any other site then go there now and change your email address and password.

Just do one of those two things and you will be a lot safer.

And for those on Twitter who said we shouldn't be criticising newcomers. I'm happy to support a new online marketplace in New Zealand but security should be part of design since Day 0. I hope this is something for them to consider, and good luck the days ahead.

UPDATE: just found out that Whedle also use cookies to store plain text username and password for the duration of a session. While cookies are not a problem, storing this in plaintext on anyone's computer could allow spyware to download the credentials from a user's computer, without even have to break into Wheedle's servers. Screenshot by @CooperNZ:

Other related posts:
Google crawling Geekzone HTTPS
Geekzone gone full HTTPS
Google Chrome cache performance

comments powered by Disqus

freitasm's profile

Mauricio Freitas
New Zealand

I live in New Zealand and my interests include mobile devices, good books, movies and food of course! 

I'm the Geekzone admin. On Geekzone we publish news, reviews and articles on technology topics. The site also has some busy forums. Also worth visiting is TravelTalk NZ, a community for travelers!

Subscribe now to my blog RSS feed or the Geekzone RSS feed.

If you want to contact me, please use this page or email me Note this email is not for technical support. I don't give technical support. You can use our Geekzone Forums for community discussions on technical issues.

Here's is my full disclosure post.

A couple of blog posts you should read:

Find more about Business Transformation | Enterprise Content Management | Customer Relationship Management

Social networks presence

View Mauricio Freitas's profile on LinkedIn

My Blog by tags...

State of Browsers...
Viral Marketing...
Web Performance Optimization...
Windows Phone...

Other recent posts in my blog

Google crawling Geekzone HTTPS...
Geekzone gone full HTTPS...
Microsoft Ignite New Zealand, ...
If the headlines indicate the ...
Geekzone data analytics with P...
State of browsers Geekzone Mar...
2Cheap Cars discussion...
Now with more fibre...
Unlimited is not unlimited: Vo...
How bad is Vodafone cable at t...

New posts on Geekzone