Trade Me unsecure?

Forums › Off topic › Trade Me unsecure?

1 | 2 | 3 | 4

2102 posts

Uber Geek

#884557 26-Aug-2013 11:13

Can someone explain to me the worst case scenario of this particular page not being encrypted?? I would have thought all of the information is publicly available anyway, from this page.

freitasm

BDFL - Memuneh
79295 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#884561 26-Aug-2013 11:17

Someone intercepting your credit card number, expiry, name and CCV in transit to TM servers?

scowie

2 posts

Wannabe Geek

#884575 26-Aug-2013 11:41

Nope, it's a different page, you can try it here

Jebus, so they manage to use ssl in one place but not the other.

Zeon

3916 posts

Uber Geek

Trusted

#884605 26-Aug-2013 12:28

freitasm: Someone intercepting your credit card number, expiry, name and CCV in transit to TM servers?

Still pretty unlikely but not good either way.

Speedtest 2019-10-14

sleemanj

1490 posts

Uber Geek

#884646 26-Aug-2013 13:17

Zeon:
freitasm: Someone intercepting your credit card number, expiry, name and CCV in transit to TM servers?

Still pretty unlikely but not good either way.

Geekzone users know better, but Joe Public is quite likely to be accessing trademe and use this page over random wifi networks for a start :-)

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

1080p

1332 posts

Uber Geek
Inactive user

#884710 26-Aug-2013 14:27

sleemanj:
Zeon:
freitasm: Someone intercepting your credit card number, expiry, name and CCV in transit to TM servers?

Still pretty unlikely but not good either way.

Geekzone users know better, but Joe Public is quite likely to be accessing trademe and use this page over random wifi networks for a start :-)

This would be hilarious to demonstrate over TradeMe's free wi-fi in Wellington. :)

freitasm

BDFL - Memuneh
79295 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#884828 26-Aug-2013 16:31

I am told this has now been fixed by Trade Me. Anyone care to check please?

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

sleemanj

1490 posts

Uber Geek

#884840 26-Aug-2013 16:43

freitasm: I am told this has now been fixed by Trade Me. Anyone care to check please?

Yes, fixed.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

itxtme

2102 posts

Uber Geek

#884952 26-Aug-2013 20:10

freitasm: Someone intercepting your credit card number, expiry, name and CCV in transit to TM servers?

I understood if you choose the credit card pay option it redirected to SSL, so the only details that could be intercepted would be what you purchased.. Thats why I thought it was somewhat out of proportion..

kyhwana2

2566 posts

Uber Geek

#884962 26-Aug-2013 20:30

itxtme:
freitasm: Someone intercepting your credit card number, expiry, name and CCV in transit to TM servers?

I understood if you choose the credit card pay option it redirected to SSL, so the only details that could be intercepted would be what you purchased.. Thats why I thought it was somewhat out of proportion..

As per the OP screenshot, they'd already chosen the credit card option? Even if the iFrame is SSL, it doesn't matter since the actual page is loaded over HTTP and you can just replace that iframe with whatever you want when you MITM someone. (2degree's used to have this problem with their topup page too)

sleemanj

1490 posts

Uber Geek

#884963 26-Aug-2013 20:34

itxtme:
freitasm: Someone intercepting your credit card number, expiry, name and CCV in transit to TM servers?

I understood if you choose the credit card pay option it redirected to SSL, so the only details that could be intercepted would be what you purchased.

No. The page where you entered your CC details, and the url that form submitted to was not SSL secured in any way.

From what I can see only applied to MQL (Multi Quantity Listings) with Pay Now as an option (which switches on the "new" integrated checkout process introduced last month).

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

grasshoper

164 posts

Master Geek

#884967 26-Aug-2013 20:48

yep, definitely fixed. Glad to see trademe listening to the public :D

PaulBags

809 posts

Ultimate Geek
Inactive user

#884980 26-Aug-2013 21:22

Would still appreciate secured logins & for https to not just redirect to http.

Oh well, I don't think much of trademe anyway. Been years since I bought anything there, and longer still since I sold anything.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#990493 19-Feb-2014 14:28

PaulBags: Would still appreciate secured logins & for https to not just redirect to http.

Oh well, I don't think much of trademe anyway. Been years since I bought anything there, and longer still since I sold anything.

They requested I login and update my address valuidation, but it's still unencrypted. I wonder if their mobile application is also unencrypted? Is their a way to tell?

kenkeniff

628 posts

Ultimate Geek

#990504 19-Feb-2014 14:51

lyonrouge:
PaulBags: Would still appreciate secured logins & for https to not just redirect to http.

Oh well, I don't think much of trademe anyway. Been years since I bought anything there, and longer still since I sold anything.

They requested I login and update my address valuidation, but it's still unencrypted. I wonder if their mobile application is also unencrypted? Is their a way to tell?

Wireshark

1 | 2 | 3 | 4