Wheedle shuts down to fix security flaws

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

TradeMe competitor falters at first hurdle due to lack of software testing

By Computerworld staff | Auckland | Tuesday, 2 October, 2012 | 18 Comments

Wheedle, which launched yesterday as a competitor to online auction site Trade Me, has gone into maintenance mode once again to fix several security and process flaws with its website.

An announcement sent out by Wheedle's managing director Carl Rees this afternoon says the site is closed for "a thorough update of its systems and processes".

"Operating issues were identified and our determination to ensure we can provide a level of service we are satisfied with means that we have elected to close the site until we can complete a comprehensive audit of our systems and make the necessary improvements," says Rees.

Wheedle experienced its first technical hiccup yesterday morning when its site was down for maintenance on the launch day.

It soon came to the attention of early adopters that user passwords can be retrieved by users via their emails in plain text. While this does not necessarily mean they aren't encrypted at the database level, it does mean it could be reversible.

Just tried a password recovery on Wheedle. Was emailed my password in plain text. Not cool. twitter.com/simantics/stat…
— Sim Ahmed (@simantics) September 30, 2012

Today the site was down for further temporary maintenance, when it was discovered that the reserve price and buy now prices of auctions could be tampered with by users other than the auctioneer.

You can buy anything for any price on Wheedle. Just visit wheedle.co.nz/Search/editpri… after viewing an auction, and set your desired reserve.
— nzben (@nzben) October 1, 2012

Rees told The NBR that the entire saga has damaged Wheedle's brand.

"It's a pain in the arse. It's hurting us," says Rees.

Rees says the development of the Wheedle website was outsourced to developers in India, but maintains that was not the problem as staff were overseeing the development there.

Rees told the NBR that the problem was simply due to the deadliest of programming sins, a lack of testing.

Trade Me is a part of Fairfax Media, which publishes Computerworld.

Comments

Wheedle brandname is now linked to bad security... Security wasn't part of the spec. period. Any sec analyst worth their salt would have identified this kind of issues before coding even started.
Posted by Anonymous at 0:05:55 on October 4, 2012

Flag abuse

Not necessarily bad programming The best a programmer can ever do is 100% faithfully deliver software to the specification. The best someone writing the specification can ever do is 100% faithfully deliver the requirements. So the first area of problem is somewhere in (i) requirements not understood (ii) requirements not correctly translated into specs (iii) dodgy programming.

With (iii) you get 'object is null' and 'data parameter type mismatch' type errors splattered all over your web page. We're not getting those so it is (i) or (ii) i.e. looks like a trainee analyst that didn't understand the subject matter.

The test programme will be over quality of the development - did India deliver programs to spec? I have found Indian development to be precise to the spec - they are generally on a fixed price and deliver nothing in addition to the spec - so you had better hope the spec is right. If the spec didn't say to lock down the 'edit buy nowe price' function they won't have done this.

My guess is the Indians delivered exactly what they were asked to - nothing more, nothing less - and this is simply a situation of a dystem designed by someone new to the area. Kind of like designing high-rise buildings in Christchurch; you can't blame the guys that mixed the concrete.

Either that, or it was built to a budget.
Posted by Anonymous at 15:52:30 on October 3, 2012

Flag abuse

Not necessarily bad programming It's entirely possible to build a website that doesn't throw exceptions, but is still incompetently put together. This debacle of a website is clearly written by people who just have *no clue* about anything to do with security, user experience, etc, etc.

These are core skills of a competent developer. To have this site launched without these things being considered is proof that the developers *are* in fact incompetent.
Posted by Mark L at 9:43:25 on October 4, 2012

Flag abuse

Not necessarily bad programming If you hire programmers that can do nothing else than follow a spec, then you'll get a very poor result. You want to hire programmers who have a business brain, who can work with the other members of their team to highlight issues, work out a better way of doing things, and deliver something fantastic. People who just unquestioningly follow specs aren't that type of person. If a programmer ever gave me an excuse that they were just following a spec when they knew something was amiss, they'd be sacked. It's called malicious compliance.
Posted by Anonymous at 18:02:02 on October 3, 2012

Flag abuse

Truckies Building Web Applications? This is another example of where someone who was very successful in one field (Freighting)comes unstuck when they try to enter something completely different (Web Applications)
Posted by Anonymous at 10:21:04 on October 3, 2012

Flag abuse

Should have tested it more, that would have "fixed" it ... Sorry, this is a not problem with testing, this is simple ignorance of web security. The problems shown today cut to the bone of the system. These are only the things on the surface, if they can't get them right how could they possibly get the auction process right.

These problems will not take days to fix, more like weeks or months... but they will be back earlier than that... and people will be ready to point out newly found flaws... site down again.

Outsourcing or otherwise these guys have no clue, all trust is lost.

Wanted this to succeed but after this poor show so early on I highly doubt it.
Posted by MAT at 22:50:35 on October 2, 2012

Flag abuse

Should have tested it more, that would have "fixed" it ... I agree completely. This is not a problem with testing, but poor solution architecture. The amount of organisations storing passwords in plain text is a real worry.

This is software 101.
Posted by Jeff at 14:16:48 on October 3, 2012

Flag abuse

Should have tested it more, that would have "fixed" it ... Testing isn't mentioned at all in the article. They talk about a 'full audit', by which I assume they mean, among other things, a design review and a security assessment.

You're still right though, this isn't about bad testing. It's about bad requirements specification, naive design and poor project oversight.

The coders in India could be CMM Level 5 for what it's worth, but if the requirements, design and governance were "Made in New Zealand" that means they're no doubt tainted by the ridiculous "Number 8 Wire" and "She'll be right" attitudes that are destroying our industry.
Posted by Anonymous at 9:23:44 on October 3, 2012

Flag abuse

Should have tested it more, that would have "fixed" it ... Aah, just saw the testing line in the article. I retract my opening line ;)

I guess Mr Rees strikes me as poorly-qualified, poorly-experienced or poorly-informed. Or perhaps a mixture.
Posted by Anonymous at 9:26:32 on October 3, 2012

Flag abuse

Writeoff Presumably this software development can all be written off as a tax loss in a couple of months time.
Posted by Taxpayer at 20:06:45 on October 2, 2012

Flag abuse