Analysis: Wheedle lets you see - and change - the reserve price on someone else's auction

Wheedle is offline again this afternoon after the discovery of a jaw-dropping security hole.

Blogger and software developer Ben Gracewood tweeted instructions on a simple trick that not only lets you see the reserve price on someone else's auction, but change the reserve price [UPDATE: the security hole was first spotted by one of Mr Gracewood's fellow Westie geeks @ruatara.]

NBR tried it, and successfully lowered the price on a random auction by $1 (and then back).

If you like, you can even set a Buy Now price. 

It's a breathtaking lapse for the wannabe Trade Me rival, backed by a $10 million+ budget.

Password problem?
Wheedle has also faced multiple accusation it's using low-level plain text password security - and a backhanded jab from Trade Me, which used its official Twitter account to remind people not to use the same password for more than one website.

An ecommerce professional who did not want to be named told NBR, "My understanding is Wheedle can send your password back as "plain text". This doesn't necessarily mean that they're stored in plain text but they're definitely reversible.

"The wider problem here is that many Wheedle customers will use the same password on Wheddle as they will on other websites."

Mr Gracewood also weighed in on the password issue.

"I personally have had 20 odd emails with my own password in them, because someone has been spamming the password reset function," he told NBR.

"The fact that Wheedle can send my my own password is a huge problem. It means the passwords are stored with (at the very least) reversible encryption, and probably in the clear. The stories of websites being hacked to divulge passwords are many, and it's only a matter of time before Wheedle is hacked."

"It's hurting us"
Wheedle GM Carl Rees had seen Mr Gracewood's tweets, and acknowledged the security hole. 

His team was working on a fix for that and other problems. There was no need to take the site down again he said. But shortly after he spoke to NBR, Wheedle was taken offline again - a good call, under the circumstances.

"It's a pain in the *rse. It's hurting us," Mr Rees said. 

Indian outsourcing confirmed
The GM confirmed Christchurch-based Wheedle had outsourced development work to India.

But he also told NBR that was not the problem. "We had people on the ground there," Mr Rees said. 

The problem was inadequate pre-launch testing, the GM said before politely excusing himself to get back to grappling with the site.

Pack a lunch
This morning, Wheedle was offline for two hours. 

This time, it could be a lot longer. Not only does its whole security setup have be changed. Every price on the site is now suspect.

At this point, Wheedle's Rich List backer Neil Graham must be wondering: should I take the whole thing offline for a few weeks of re-tooling?
 

ckeall@nbr.co.nz

44
Login in or Register to view & post comments