Wheedling Their Way Out

October 3rd, 2012 by Dylan Leave a reply »

When I first heard about Wheedle I was immediately skeptical for two reasons… Firstly they thought it was a good idea to sink millions into competing with TradeMe. Secondly they felt it necessary to boast about their 40 servers. Both appeared to suggest a fundamental lack of awareness about the market and the technology involved.

Then it all started to unfold – the site was very flakey pre-launch. When it wasn’t offline or timing out it was returning a different user’s session on every page load. But that wasn’t really live yet.

On Monday, when the site went live, the session issue seemed solved. It was possible to register an account and sign in. In theory you could also add a listing or browse and bid on those that were there. At least for a little while. Within hours the site, all forty servers apparently, were breaking under the load and totally unable to provide responses to all but the most simplistic responses.

But that wasn’t all – there started to be some pretty serious questions. It was quickly noted that a ‘Forgot My Password’ request resulted in an email being sent to the user with the username and password in it. This was a huge warning sign. Wheedle said they’d address the issue “ASAP

The site was up and down on Monday evening and Tuesday morning. And then things got really crazy. It became apparent that a lot of input validation was being done entirely on the client-side and people registered usernames they should not have been able to – the best I saw was 8===>~~~

Then came the Oh My God moment – Twitter user @ruatara discovered that it was possible for any logged in user to edit the prices (Starting, Reserve and Buy Now) of any auction. See a car you like? Add a Buy Now of $1 and then buy it.

Clearly this was completely impossible for Wheedle to ignore, it was impossible for anyone to run a reliable auction on the site. They did the only thing they could do and took the site offline. Then they did what, at the time, seemed like exactly the right thing – they annouced the site would be down indefinately while they seriously addressed the problems.

But then this evening I received a Personal Message from Wheedle CEO Carl Rees…

Dear Wheedle Member,

I made a decision yesterday morning to take Wheedle offline.

On Monday night our tech team made some tweaks and changes to the website to improve its performance and speed. These changes were deployed to the website without first passing through our normal test protocols. We quickly discovered that the changes were causing problems with the auction listing prices. There was also some concern raised around password security and retrieval. Please rest assured that your password has been, at all times, strongly encrypted and stored in our database. We are also exploring alternative ways to further increase password security.

In light of these events, we are undertaking a complete review of the website including engaging an independent firm to carry out a full a check of the security of the website.

We experienced a very positive interest in Wheedle and we had an astounding member uptake. We will be back soon, better, stronger and safer.

I apologise for any inconvenience this has caused and thank you for your support.

Unfortunately thie email is, at best, disingenuous; at worst, an outright lie.

It is simply implausible that the fundamental failures in the security model that allowed any authenticated user to edit the details of any auction were introduced as a result of the site tuning made on Monday night. And to describe this issue as “problems with the auction listing prices” completely fails to acknowledge the nature to the issue.

As for the passwords this is either a complete lie or the practices employed on the site were incredibly irresponsible. A website should never be able to retrieve your password in any meaningful way. The fact that it was possible to email users their password is a clear indication that either they weren’t encrypted in the database at all, or they were encrypted in an unencryptible way (and that the software was doing so to send passwords to people). Either option is totally unacceptable and flys in the face of established practices in web development.

Bear in mind this was a site that is asking you to trust it to handle financial transactions on your behalf, and soon would be asking you for your credit card details.

The fact that Wheedle still seems unable to properly address the nature of their failures suggest either that they still don’t fully understand where they’ve gone wrong, or that they are deliberately trying to wheedle their way out of the situation they’ve found themselves in.

Unfortunately at all stages it has appeared that Wheedle has tried to down-play the nature of the problems, attributing them to things like higher-than-expected traffic and lack of pre-lauch testing. And now the email above. But the evidence suggests the issues were a failure in design from the outset.

While I have no inside information on the development, it would appear from the outside that the developers of the site (an Indian-based programming team of about a dozen, apparently) were handed a brief that read, approximately, “take a look a TradeMe.co.nz… Now, make a site that does that” and left to their own devices. Indeed they made a site, that in a basic look and functionality sense, duplicated TradeMe, but they lacked the knowledge or guidance to properly develop the underlying architecture to support such a site.

Wheedle will be tainted for me until they can be honest about how they’ve failed and what’s being done to correct the issue. The site’s backers need to admit they’ve embarked on the project without the right expertise and then get some of that expertise on board.