Local eCommerce website user details exposed

* Ps. Don’t worry, we won’t share your email with anyone – we hate spam too.
Click to expand...
Quoted from the wicount website :-D
 
You just made sure I would never even visit their website!
 
Google's cache will have this for weeks - not only are a bunch of the source pages from Wicount cached, but some site (onodot.com) also had the content and was cached by Google. If it is ShopDirect's fault, then it is even worse - I will NEVER buy from a site that uses ShopDirect ever again.

Hey, it could be worse, you could be like this dude that lost R30 000 dealing with ShopDirect: http://www.hellopeter.com/shopdirect-complaint-[458306]
 
my god how can people be so dumb as to no protect their admin pages... Google has indeed indexed (and cached) those pages...
 
Vlad said:
my god how can people be so dumb as to no protect their admin pages... Google has indeed indexed (and cached) those pages...
Click to expand...

I guess .NET developers don't think security is important? Just kidding - I've heard security conscious developers talk at TechEd - this is just a case of complete disregard for user privacy. I wonder if they even sanity check input for SQL injection:-P
 
You mean to tell me they just needed to delete the orders_DealList.aspx page from the site to fix it?
Ouch...
Perhaps they just renamed it and it's a matter of time till it resurfaces? I wonder if anyone from wicount would care to comment...
 
i hope they can hold Shopdirect liable for the damage this has caused them
 
just out of curiosity, what other sites are built by Shopdirect, let's scrutinize those too
 
encryptedbread said:
You mean to tell me they just needed to delete the orders_DealList.aspx page from the site to fix it?
Ouch...
Perhaps they just renamed it and it's a matter of time till it resurfaces? I wonder if anyone from wicount would care to comment...
Click to expand...

Yeah probably. I have a lot of patience when it comes to e-commerce startups - I understand that maybe they don't understand sidejacking, or they only go HTTPS from when you hit the "buy" button, but this is just naivety. It's like someone who runs Webmin (eugh, but anyway) with no username and password and then just puts it on a non-standard port hoping that nobody will notice. Security through obscurity has never been full proof.

I firmly believe Wicount had this open and exposed the whole time but believe it would never be spidered by Google. The onodot.com links (they provide a URL cloaking service) that mirror the content points to a very simple explanation: instead of providing suppliers with a login where they could redeem their voucher, they sent out an onodot link that cloaked the orders_DealList.aspx URL. After the suppliers had printed the list or whatever, Wicount deleted the onodot link. At some point in this security-through-obscurity process, the Google spiders stumbled across the onodot pages and (possibly through that?) the source pages on Wicount's site. My assertion, then, is that Wicount wilfully and knowingly ignored user safety and security because they were too lazy to develop their webapp properly. I stand to be corrected, of course, should a technical person from Wicount be able to explain to us why they don't have a robots.txt (and if they ever had one, why it simply didn't have Disallow: /adminfolder/).
 
fluffypony said:
Have you checked the whois for wicount.co.za? (http://whois.co.za/cgi-bin/whois.sh?Domain=wicount)

I think ShopDirect own them - you can't sue yourself:-P
Click to expand...

often the web dev company will register the domain on the client's behalf. It's very naive on behalf of the client but i've seen non-technically inclined entrepreneurs fall for this before. If the relationship with the development company sours, they're in a world of trouble...
Not saying that that is happening here as i don't know the wicount people, but i wouldn't be surprised if that is the case.
 
Vlad said:
often the web dev company will register the domain on the client's behalf. It's very naive on behalf of the client but i've seen non-technically inclined entrepreneurs fall for this before. If the relationship with the development company sours, they're in a world of trouble...
Not saying that that is happening here as i don't know the wicount people, but i wouldn't be surprised if that is the case.
Click to expand...

That's true...but that is a world of hurt if you are running an ecommerce site and don't know enough about the Internet to register your own domain...
 
fluffypony said:
That's true...but that is a world of hurt if you are running an ecommerce site and don't know enough about the Internet to register your own domain...
Click to expand...

They probably cut corners in a scramble to become the biggest groupon clone in SA (the business is only a few months old). But this case highlights that it's only fair that twangoo got bought by Groupon and not wicount. A due diligence would have exposed their poor technical ability and bad site design.
 
Vlad said:
They probably cut corners in a scramble to become the biggest groupon clone in SA (the business is only a few months old). But this case highlights that it's only fair that twangoo got bought by Groupon and not wicount. A due diligence would have exposed their poor technical ability and bad site design.
Click to expand...

Their site design is shocking. Actually, so is Twangoo's. Have none of these people done any usability studies?? And don't get me started on Twangoo - do you know they're in the ISPA hall of shame for spamming? (http://www.ispa.org.za/spam/hall-of-shame) Apparently when you refer a friend they just SUBSCRIBE that friend without an opt-in. A due diligence would have exposed that Twangoo contravene the ECT act.
 
According to Palay, WiCount clients should not be concerned about their credit card details as that information is still secure....
Click to expand...

And since when are you allowed to store credit card details?

I have worked at numerous companies where there was online transactions, storing the credit card details were not permitted by the bank or the merchant.

EDIT:in actual fact, there are laws against it as far as i can remember.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X