Wheedle offline after struggles
Tue, 02 Oct 2012 11:50a.m.
By Dan Satherley
A new auction website aiming to knock TradeMe off its perch has had a disastrous first couple of days.
Not only has Wheedle.co.nz spent the better part of its first two days in business offline, but internet experts have criticised the site's lack of security and bloggers have exposed a major loophole which allows users to edit other people's auctions.
Wheedle officially launched yesterday promising lower fees than TradeMe, but visitors to the site this morning were met with a simple message: "Wheedle is down for maintenance. We will be back soon."
The company's Facebook page has been inundated with user complaints.
"Take the site off, get the problems sorted, and then put it up," wrote Craig Brown. "Its a bit like a shop that advertises TV's, then when you go to the shop, you find they don't sell TV's [sic]."
"I'm sticking to Trademe while you guys sort the glitches out," wrote Dominic Durrant.
There have also been complaints the site has serious privacy flaws. Twitter user @simantics said he tried to recover his Wheedle password, and it was emailed to him in plain text, without encryption.
Another Twitter user noted users' passwords were stored unencrypted in a cookie (a file stored on a users' computer so the website recognises them the next time they log in).
"Security 101 right out the door," wrote @ACooperNZ.
Netsafe chief technology officer Sean Lyons said his organisation would never recommend storing passwords without encryption.
"The problem with that is that if I have some smarts about me, and the website has some security weaknesses, then I can potentially write a little script that nuts into the website somewhere, and pulls out some of that data or gives me access to the database," says Mr Lyons.
"If suddenly my username and password, and probably my email address are freely available to people, that means my Wheedle account is open and vulnerable, so someone could log in as me and do all sorts of things, as we know they do with online trading sites – false auctions, try and get money out of people, buy stuff and then do return fraud, all those kinds of things."
Mr Lyons says people often use the same passwords on many websites, meaning if a hacker had your Wheedle password, there's a good chance they could also get into your email and Facebook account.
"Had my website had encrypted passwords, I'm pretty much in possession of a list of email addresses and names, and I'm no further forward in my pursuit of someone's identity and using it for fraudulent purposes."
So why would Wheedle decide to store users' passwords without encryption? No one from Wheedle could be reached for comment, but Mr Lyons says it saves time when you forget your password – the site can just email it to you, but a site that uses encryption can't. Instead, your password has to be reset and emailed to you, and then you have to change that temporary password to something else.
"Some people think that level of annoyance is enough to put people off, and that's the last thing you want to do," says Mr Lyons, but it's not worth the risk.
He isn't sure whether it was an oversight or a deliberate choice not to use encryption.
Another major security problem Wheedle has is that anyone can see – and change – the reserve price of any auction.
Tech blogger Ben Gracewood posted the instructions on his Twitter page. The hack was confirmed to work by 3 News and the National Business Review.
Not only can you change the reserve of any auction, but also the buy now.
Last week Wheedle managing director Carl Rees claimed the site had "huge" infrastructure, including 40 servers located in Auckland, and a "multimillion-dollar war chest".
"This is a frustration time for us all at Wheedle, as we have experienced a massive member uptake and the interest in our site is growing," general manager Carl Rees told the NBR.
"We are only human and we have made some mistakes."
He says the problems have not been caused by a lack of infrastructure, but a "back-end coding problem". The company has 10 staff in Christchurch and 12 in India, developing the software.
Mr Lyons said outsourcing to India probably wasn't behind the site's security issues.
Other problems reported with the site include not being able to hit enter to search and being unable to upload images when using the popular Firefox browser.
3 News has called Wheedle several times since last week, but has been unable to reach Mr Rees for comment.
Another site, listselltrade.co.nz, is set to enter the market on Thursday.
Post a Comment
Before commenting, please take the time to read our moderation guide
(Won't be published)
3/10/2012 12:36:59 p.m.
Here's hoping to do a "Wheedle" becomes a way to describe succeeding brilliantly after first failing abysmally.
3/10/2012 10:17:58 a.m.
george mear wrote:
keep it up they have had their own way fare to long i will wait
2/10/2012 6:06:29 p.m.
Yeah they've made some mistakes but we should be encouraging startups like this. Trademe has the monopoly and ripoff prices.. Competition is healthy!
2/10/2012 3:40:09 p.m.
Actually, passwords can be stored using reversable encryption, which means the password can be decrypted by using the correct decryption key...
2/10/2012 1:03:56 p.m.
My site in development will be learning from these idiots mistakes
Wellington company Xero has scooped the top prize at the annual Hi-Tech Awards.
A senior Australian politician has fallen foul of social media.
Launch trailer for Metro: Last Light, the post-apocalyptic sequel to Metro 2033.
UK lawmakers subjected search giant Google to blistering criticism, accusing the US Internet company of playing games with Britain's tax rules.
The latest Grid 2 video showcases the game’s drift events and reveals key Asian locations.
Copyright © 2013 MediaWorks TV. All Rights Reserved.