New auction site Wheedle puts passwords at risk
By Dan Satherley
A new auction website aiming to knock TradeMe off its perch has had a disastrous first couple of days.
Not only has Wheedle.co.nz spent the better part of its first two days in business offline, but internet experts have criticised the site's lack of security and bloggers have exposed a major loophole which allows users to edit other people's auctions.
Wheedle officially launched yesterday promising lower fees than TradeMe, but visitors to the site this morning were met with a simple message: "Wheedle is down for maintenance. We will be back soon."
The company's Facebook page has been inundated with user complaints.
"Take the site off, get the problems sorted, and then put it up," wrote Craig Brown. "Its a bit like a shop that advertises TV's, then when you go to the shop, you find they don't sell TV's [sic]."
"I'm sticking to Trademe while you guys sort the glitches out," wrote Dominic Durrant.
There have also been complaints the site has serious privacy flaws. Twitter user @simantics said he tried to recover his Wheedle password, and it was emailed to him in plain text, without encryption.
Another Twitter user noted users' passwords were stored unencrypted in a cookie (a file stored on a users' computer so the website recognises them the next time they log in).
"Security 101 right out the door," wrote @ACooperNZ.
Netsafe chief technology officer Sean Lyons said his organisation would never recommend storing passwords without encryption.
"The problem with that is that if I have some smarts about me, and the website has some security weaknesses, then I can potentially write a little script that nuts into the website somewhere, and pulls out some of that data or gives me access to the database," says Mr Lyons.
"If suddenly my username and password, and probably my email address are freely available to people, that means my Wheedle account is open and vulnerable, so someone could log in as me and do all sorts of things, as we know they do with online trading sites – false auctions, try and get money out of people, buy stuff and then do return fraud, all those kinds of things."
Mr Lyons says people often use the same passwords on many websites, meaning if a hacker had your Wheedle password, there's a good chance they could also get into your email and Facebook account.
"Had my website had encrypted passwords, I'm pretty much in possession of a list of email addresses and names, and I'm no further forward in my pursuit of someone's identity and using it for fraudulent purposes."
So why would Wheedle decide to store users' passwords without encryption? No one from Wheedle could be reached for comment, but Mr Lyons says it saves time when you forget your password – the site can just email it to you, but a site that uses encryption can't. Instead, your password has to be reset and emailed to you, and then you have to change that temporary password to something else.
"Some people think that level of annoyance is enough to put people off, and that's the last thing you want to do," says Mr Lyons, but it's not worth the risk.
He isn't sure whether it was an oversight or a deliberate choice not to use encryption.
Another major security problem Wheedle has is that anyone can see – and change – the reserve price of any auction.
Tech blogger Ben Gracewood posted the instructions on his Twitter page. The hack was confirmed to work by 3 News and the National Business Review.
Not only can you change the reserve of any auction, but also the buy now.
Last week Wheedle managing director Carl Rees claimed the site had "huge" infrastructure, including 40 servers located in Auckland, and a "multimillion-dollar war chest".
"This is a frustration time for us all at Wheedle, as we have experienced a massive member uptake and the interest in our site is growing," general manager Carl Rees told the NBR.
"We are only human and we have made some mistakes."
He says the problems have not been caused by a lack of infrastructure, but a "back-end coding problem". The company has 10 staff in Christchurch and 12 in India, developing the software.
Mr Lyons said outsourcing to India probably wasn't behind the site's security issues.
Other problems reported with the site include not being able to hit enter to search and being unable to upload images when using the popular Firefox browser.
3 News has called Wheedle several times since last week, but has been unable to reach Mr Rees for comment.
Another site, listselltrade.co.nz, is set to enter the market on Thursday.
source: newshub archive