Wheedle is offline again and, in a double whammy, a blogger has posted instructions that he said let people change the reserve price of other members’ auctions.
NBR said it had tested and confirmed the fault, reported by a logger by changing and then resetting the price of one “random” auction.
Wheedle have announced they have gone offline to do an audit. They needn’t bother reopening. You only get one chance to make a good first impression.
Allowing others to change the reserve price!!!
NBR quotes Ben Gracewood:
The TVNZ and RNZ commentator doesn’t hold back.
“Wheedle is an abomination,” he says.
“Its very genesis is offensive to the web development community.
“The original claims of “forty servers” and “millions of dollars” are quite literally equivalent to me winning Lotto, buying 50 trucks, then yelling from the rooftops “hooray I’m taking on Mainfreight”. I have no knowledge of logistics, I don’t know about road user charges, and I wouldn’t have the foggiest clue how to manage local distribution.
Likewise, the coders behind Wheedle don’t have any idea how to build a website, Mr Gracewood says.
“On day zero (during the weekend) the site was returning random user profiles each time you refreshed. Any decent web developer would recognise this as an issue with incorrect sessions being served across multiple (of their forty) servers. That should have sent alarm bells ringing.
“But no, they forged ahead with the launch. The next faux-pas was to send password reset emails in the clear. I personally have had 20 odd emails with my own password in them (because someone has been spamming the password reset function). The fact that Wheedle can send my my own password is a huge problem. It means the passwords are stored with (at the very least) reversible encryption, and probably in the clear. The stories of websites being hacked to divulge passwords are many, and it’s only a matter of time before Wheedle is hacked. They should be salting and hashing passwords such that they are unreadable in the database.
I like his Mainfreight comparison.