Original URL: http://www.theregister.co.uk/2012/10/05/wheedle_feeble/

Security mess sends Kiwi auction site titsup in two days

Holes allowed auction price resets, exposed passwords

By Simon Sharwood

Posted in Security, 5th October 2012 06:45 GMT

A New Zealand auction website has shut after just a day, thanks to IT professionals who noticed extraordinarily relaxed security operations.

The site in question is Wheedle.co.nz, which currently says “unforeseen technical problems “have “postponed further activity on the website.”

Postp0wned may be a more accurate term, as blogger Ben Gracewood noticed the URL wheedle.co.nz /search/editprice. Visitors to that address could indeed edit the price of goods up for auction, and even peer at the reserve price. Other users complained of a password reset scheme that saw their secret words sent a plaintext in emails. Allegations also surfaced that the software responsible for sending out password reminders had been accessed, with the result that account holders received multiple password-related emails.

Before those issues came to light the site staggered beneath big launch-day traffic loads that took it offline. Revelations that the site hired programmers based in India led to some raised eyebrows among Kiwi coders, and competitive sniping from other startup Kiwi auction sites as noted in the National Business Review.

Making the situation more juicy is the fact that the site Wheedle aimed to take down – in a competitive sense – is owned by Fairfax Media, the Australian-owned publisher of ComputerWorld in New Zealand. Needless to say, Fairfax’s New Zealand outlets have not let the failure of Wheedle go un-noticed. ®