Member log in

Wheedle lets you see - and change - the reserve price on someone else's auction

Wheedle is offline again this afternoon after the discovery of a jaw-dropping security hole.

Blogger and software developer Ben Gracewood tweeted instructions on a simple trick that not only lets you see the reserve price on someone else's auction, but change the reserve price [UPDATE: the security hole was first spotted by one of Mr Gracewood's fellow Westie geeks @ruatara.]

NBR tried it, and successfully lowered the price on a random auction by $1 (and then back).

If you like, you can even set a Buy Now price. 

It's a breathtaking lapse for the wannabe Trade Me rival, backed by a $10 million+ budget.

Password problem?
Wheedle has also faced multiple accusation it's using low-level plain text password security - and a backhanded jab from Trade Me, which used its official Twitter account to remind people not to use the same password for more than one website.

An ecommerce professional who did not want to be named told NBR, "My understanding is Wheedle can send your password back as "plain text". This doesn't necessarily mean that they're stored in plain text but they're definitely reversible.

"The wider problem here is that many Wheedle customers will use the same password on Wheddle as they will on other websites."

Mr Gracewood also weighed in on the password issue.

"I personally have had 20 odd emails with my own password in them, because someone has been spamming the password reset function," he told NBR.

"The fact that Wheedle can send my my own password is a huge problem. It means the passwords are stored with (at the very least) reversible encryption, and probably in the clear. The stories of websites being hacked to divulge passwords are many, and it's only a matter of time before Wheedle is hacked."

"It's hurting us"
Wheedle GM Carl Rees had seen Mr Gracewood's tweets, and acknowledged the security hole. 

His team was working on a fix for that and other problems. There was no need to take the site down again he said. But shortly after he spoke to NBR, Wheedle was taken offline again - a good call, under the circumstances.

"It's a pain in the *rse. It's hurting us," Mr Rees said. 

Indian outsourcing confirmed
The GM confirmed Christchurch-based Wheedle had outsourced development work to India.

But he also told NBR that was not the problem. "We had people on the ground there," Mr Rees said. 

The problem was inadequate pre-launch testing, the GM said before politely excusing himself to get back to grappling with the site.

Pack a lunch
This morning, Wheedle was offline for two hours. 

This time, it could be a lot longer. Not only does its whole security setup have be changed. Every price on the site is now suspect.

At this point, Wheedle's Rich List backer Neil Graham must be wondering: should I take the whole thing offline for a few weeks of re-tooling?

More by this author

Comments and questions

Or if you can't be bothered to do that, Just pass the buy now price through the params

"re-tooling"?! My advice would be to abandon the existing codebase.

Why must we continually refer to him as a "rich list" backer?

"The problem was inadequate pre-launch testing, the GM said. "

This is false. The problem is an inadequate development team. You shouldn't have to spell out things like no plain text passwords in non functional requirements. If you do your looking at bellow average incompetent team.

Storing passwords in plain text is not "inadequate pre-launch testing", it is a fundamental platform issue. With all of the very well publicized password hacks (LinkedIn, etc.) there is no excuse for launching a new site with plain text passwords. Their people on the ground must not be of a standard to build a modern e-commerce website.

Quite frankly, storing passwords in clear text is the least of their worries. Being able to SET the BuyNow price using a QueryString is rather shocking to say the least!

Right - But it is indicative of the general standard of their dev team. It may not be the worst of their problems but it is a basic one which they should have got right.

Somewhere in Bangalore, a seventeen year old coder is being horsewhipped by a middle manager.

you'd hope its a 17 year old, and not a 10 year old :)

Being able to change the reserve price on somebody else's auction is an excellent feature. I will be signing up for Wheedle ASAP

It's all perfectly clear to me now....

This isn't failure.

This is the killer app functionality that TradeMe was missing!

Changing the reserve to something the purchaser can immediately buy on is fantastic!

I hope they launch their IPO on the same basis.

"The problem was inadequate pre-launch testing, the GM said."

He got that bit right. But equally, the security design was obviously inadequate or it would surely have been tested. Which makes for suspicions that ad hoc emergency fixes will still leave a vulnerable mess.

As others have already said, if the GM believes the problem is simply "inadequate pre-launch testing", then they obviously have significantly bigger issues than simply storing our passwords as plain text in cookies.

Yeah, they need to scrap and start again. This is not fixable. Obviously they had no IT expertise and completely relied on their team in India. But as they don't have that IT expertise, they still think it's fixable. Just a few bugs. The normal thing.

This delivery will be be the annals of IT ecommerce history.

For those not building IT systems for a living: imagine a sky scraper build from cardbox box and when people complain the floor starts dropping, the owner says: we'll just have to screw in a few extra beams.

"The problem was inadequate pre-launch testing, the GM said. " And who decided to go ahead with inadequate pre-launch testing? Who decided to make important decisions about launching based on inadequate information? That translates to "The problem was inadequate pre-launch management."

Is there a facility to post my credit card details on the Wheedle site so it can be retained as a Google searchable unencrypted numeric string? Because I keep forgetting my credit card number and being able to easily Google it would be nice.

Just scored myself a 42" LED TV for $1.00. Trademe cant be these kind of deals!

Someone, and I don't know who, needs to convince Wheedle to STOP now. If they believe that inadequate testing was to blame for this it just highlights that they are entirely lacking the right staff for this project.

These issues (plaintext passwords, client-side input sanitisation, param injection, authentication role role issues) are ALL design problems. They are NOT bugs that have slipped in, they are the result of negligent design.

Wheedle continuing to operate with this codebase and without proper oversight by a suitably skilled expert is putting it's buyers and sellers at risk. They are CLEARLY out of their depth and patching holes as they are discovered is irresponsible at best.

I'm thinking of introducing a much simpler platform for buyers & sellers and am hoping to attract a 'rich list backer' as well - it's called FaxMe.
Any takers?

They were trying to save money getting it done in India. And in fact, the complete opposite has happened - they've been delivered complete rubbish and now their reputation is in tatters. Well surprise surprise. I'm glad it's hurting them. Had they supported their own local engineering community, they would have paid more initially, but by now they'd be sitting pretty. Clearly "having people on the ground" had no impact whatsoever. Clearly they hadn't bothered reading the hundreds of horror stories about outsourcing. Clearly from the top down it's an embarrassing display of total incompetence.

This disaster started way before the outsourced dev effort. Somebody designed this bad from the get-go, and then nobody audited or tested what was built.

Can't blame the Indians for this kiwi made design/management fiasco.

I wasn't blaming the Indians. Read my post properly. I was blaming the Kiwis for outsourcing to India. Had this been built by a Kiwi team, there's no way they would've launched with these laughable technical implementations. An Indian development team will just do as asked. A Kiwi development team will do the job properly.

Oh Snap

another to the list... what were you saying about Indians if you weren't blaming them?

Sam Morgan certainly got it right when he labelled Wheedle "a joke". Bet he is regretting apologising for the statement now!

They should have hired a proper QA team, not farmed it out to production-line tester drones in Mumbai. With their budget I could have functionally tested it properly, have a fully automated regression pack in place for new builds and performance-tested it to boot. Schoolboy errors.

This disaster was created back at the design stage, not at testing.

Outsourced development to India - how long will it take for so called hi-tech companies to learn this painfull lesson. Pull it now and build it onshore, it will cost 3x less in the long run, just ask Vodafone, Telecom, Alcatel etc.

Couldn't agree more - fixing Indian software is not fun. It poorly written, poorly commented and usually has more security holes than Swiss cheese.

Software development is both an art and science.

Buyer beware - when you outsource software development its not like outsourcing bath toy production.

Would they ship out 500 Indians to build their head office?
Of course not cause it would look like crap and fall over but laughably they rely on an Indian dev team to build their business infrastructure. Learning the hardway since ages ago, no sympathy here.

There are perfectly good, long experienced Indian development teams like Tata. And there are lots of others.

But the big error is to think you can outsource your core competency for this business: website design, development and operation. They need highly competent and experienced IT management and obviously don't have it.

there are plenty of corruption stories about india, but also success stories. Tata ended up buying Jaguar and Land Rover. So just because its indian doesn't necessarily make it cr*p.

Just need to be extra careful finding the right team. Building onshore is much easier/reliable though.

All those having trouble with Wheedle are hereby invited to use my own simple, Selling and Buying site called SellBuyNet (

Its all free and (let me know otherwise) it actually works! Furthermore, it has been developed and is being maintained exclusively by Kiwis. The only "foreign" bit is that it is being hosted in the USA. That's because the Yanks give a MUCH better deal for web hosting than anyone here.

But, again, everything else about it is Kiwi. Have a look.

One of the reasons eBay failed was due to slower speeds and poorer usability due to offshore hosting.
Another one was lack of local dev or content.

But ultimately they just didn't have the listings, so didn't get the network effect.


1) Yes, the listings problem is the ultimate Catch 22 but we are hoping to attract niche groups in whatever category they may want to "adopt".

2) We are certainly ticking the "local development and content" boxes.

3) I think eBay also failed because they first took their time "discovering" Australia and then took even more time "discovering" New Zealand. I remember trying to register with and being asked which "State" I was in and then being "pinged" on having only 4 numbers in my "Zip" code. I finally managed to hack my way around it all but most Kiwis didn't and were probably glad when TradeMe offered a site that knew where Eketahuna was. So it took off. Mind you, Trade and Exchange was already there but they were, at the time, delaying a week between the printed and online versions, which presented TradeMe with a crucial "intercept try".

Are the HTML tables kiwi?

These sound like design and architecture flaws, not testing. You shouldn't be sorting out these issues in QA.

you would think they would have employed a software security company to do some external scanning as well

Even 'cheap' coders out of India can come up with good code if the development spec is well written and understandable to each party. Local management naivety and inexperience is to blame here.

TradeMe won't ever be seriously threatened - marketing 101, "Regardless of reality, people perceive the first product into the mind (sic) as superior. Marketing is a battle of perceptions, not product", Jack Trout, law number one in his book "The 22 Immutable Laws of Marketing" 1993.

Paying the developers in India NZ$15-27,000/yr can't be helping. What's the old saying? "You pay peanuts, you get..."

Weedle is a low-tier poison-type anyway, sounds like they need a 'project kakuna' to *harden* up a bit before they even start bedrill-ing away at trademe

But yeah, these are fundamental systemic issues typical of totally inexperienced developers. Not a testing issue.

no media outlet has pointed out that when a item sold on wheedle, i got email from wheedle saying sold. but no where is there any details to contact the buyer. no email, no links, nothing, their privacy page states they will never sell or hand out any members details, email , contact details etc.. good on privacy which trade me lacks, but i got now 2 sold items, and no sale. whats the point of a buy/sell site if the buyer/seller can contact the other party. i cant be the only 1 to come across this flaw. i never heard back from dominion post when i reported it.

“The problem was inadequate pre-launch testing” GM

Yet again another project that doesnt have a Test Engineer on the staff.
You cannot tack quality on at the end - QA must be in the Design, Implementation and Audit phases.

“I written the all the code, it works perfectly, it just has to be tested.” - should be a Tui's advert