close
MENU
How to guide
How to guide
Home
The NBR List
NBR View
NBR Marketplace

Categories

General Business Investment Economics Te Ao Māori Politics Infrastructure Australia Tech & Innovation Finance Law Professional Services Primary Industries Retail Property Deals Aviation News Comings & Goings

Analysis

All Economy Matters Edwards on Politics Hunter’s Corner Last Word Margin Call On the Money Shoeshine Underarm NBR Focus

Featured

Podcasts Audio Articles Entrepreneurs Your Business Beehive Banter Morning Brew Toil & Trouble NZ Aviation News Back Issues Market Outlook Dollars & Sense Private Bin Opinion (Archive) NBR Radar (Archive) NBR Rich List (Archive)
2 mins to read
4

Scrap Wheedle 'abomination' and start again - Gracewood


Trade Me rival's very genesis is offensive to the web development community, says software man.

Tue, 02 Oct 2012

Wannabee Trade Me rival Wheedle went offline early this afternoon (for the second time today), following revelations about a catestrophic security hole that let people change the pricing on other members' auctions.

Auckland software developer Ben Gracewood - a principal architect at giant Datacom and Intergen before joining Marker Metro, and the director of the Codemania conference - says told NBR he hopes Wheedle won't apply some quick security fixes, then bring the site back online. It would be guaranteed there would be more security holes.

"My gut feeling (after many years in the industry) is that a ground-up rewrite would be cheaper than fixing the code as it stands," says Mr Gracewood.

'Abomination'
The TVNZ and RNZ commentator doesn't hold back.

"Wheedle is an abomination," he says.

"Its very genesis is offensive to the web development community.

"The original claims of "forty servers" and "millions of dollars" are quite literally equivalent to me winning Lotto, buying 50 trucks, then yelling from the rooftops "hooray I'm taking on Mainfreight". I have no knowledge of logistics, I don't know about road user charges, and I wouldn't have the foggiest clue how to manage local distribution.

Likewise, the coders behind Wheedle don't have any idea how to build a website, Mr Gracewood says.

"On day zero (during the weekend) the site was returning random user profiles each time you refreshed. Any decent web developer would recognise this as an issue with incorrect sessions being served across multiple (of their forty) servers. That should have sent alarm bells ringing.

"But no, they forged ahead with the launch. The next faux-pas was to send password reset emails in the clear. I personally have had 20 odd emails with my own password in them (because someone has been spamming the password reset function). The fact that Wheedle can send my my own password is a huge problem. It means the passwords are stored with (at the very least) reversible encryption, and probably in the clear. The stories of websites being hacked to divulge passwords are many, and it's only a matter of time before Wheedle is hacked. They should be salting and hashing passwords such that they are unreadable in the database.

"Then this morning @ruatara discovered that you can visit www.wheedle.co.nz/Search/editprice after visiting any auction,  and change the price of the auction you just visited. You could lower the reserve, or set a buy now so you can win the auction immediately. This is a serious flaw.

"At this stage, Wheedle have only one course of action: shut down the site, have it audited by people that understand web development and security, and not bring it back online again until it is secure."
© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
Tags
Wheedle
Scrap Wheedle 'abomination' and start again - Gracewood
24303
false
Subscribe Login