Developed at a rather whopping cost of RM1.4 million, many were expecting it to be supremely useful or at least supremely effective at doing its core function - price comparison. Unfortunately barely a day after launch and 3.5 million hits later, the site came to a standstill and an overwhelming response was cited as the reason. We really don't want to throw numbers about but 3.5 million hits is not a huge number and some basic stress testing prior to launch would have ensured the site remained operational.
But, thats not the crux of this article (or why we held back writing this until three days after the launch). We did a bit of digging on the site when it was first announced and noticed a severe lack of security on the site. Granted it is not a banking site that involves real monetary exchange, security and user privacy is a very important issue, especially on a site backed by the Government and has a clear membership system that requires users to sign up for access to all content.
Saveral vulnerabilities were later brought to light by the Rilekscrew group (heads up to Dark-X) pointing out that these vulnerabilities allowed almost all the data contained on the server to be remotely accessed. This was not limited to prices of goods but to signup details, usernames, email addresses and hashed passwords (encrypted). We immediately dispatched an email to the contact email listed with a brief explanation of the vulnerabilities, but two days later we noticed that nothing had been done to secure the servers.
Today however we have been informed that a few local websites have posted the vulnerabilities of the site online and this basically means about 2000 or so members who have signed up (at time of writing) might have their data stolen off the site. We are hoping that the administrators of the site take note of this post and take necessary preventive measures as soon as possible to prevent the data from being further compromised.
No comments:
Post a Comment