Trade Me unsecure?

Forums › Off topic › Trade Me unsecure?

grasshoper

164 posts

Master Geek
+1 received by user: 6

#128830 24-Aug-2013 23:21

Maybe I'm way off here, but I went to buy something off trademe tonight and noticed the form where I enter my credit card is unsecure... as per this pic:

Does this matter? or am I just noob

(edit due to anal english police)

1 | 2 | 3 | 4

6028 posts

Uber Geek
+1 received by user: 461

Trusted

Geekzone

Lifetime subscriber

#884068 24-Aug-2013 23:21

Hmmmm. Here we go.

I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

NonprayingMantis

6434 posts

Uber Geek
+1 received by user: 1528

#884071 24-Aug-2013 23:26

Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.

1080p

1332 posts

Uber Geek
+1 received by user: 152
Inactive user

#884077 25-Aug-2013 00:15

NonprayingMantis: Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.

One definition: Inadequately guarded or protected; unsafe

The words are effectively synonyms.

1080p

1332 posts

Uber Geek
+1 received by user: 152
Inactive user

#884078 25-Aug-2013 00:19

I'm not able to confirm but I imagine there is some kind of sorcery that allows them to encrypt the payment information 'box' as it were.

TradeMe would be pretty silly to not encrypt their customers' personal information.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#884079 25-Aug-2013 00:19

Most likely the form itself submits to a secure site, but Trademe decided not to bother encrypting the form where you enter the information. This is still very VERY poor practice, and they definitely need to fix it.

I would refuse to enter any details into the form and immediately contact Trademe with your concerns. They have no convenient way to do it, so I'd just submit it via their feedback form

Zeon

3926 posts

Uber Geek
+1 received by user: 759

Trusted

#884088 25-Aug-2013 00:34

If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)

Speedtest 2019-10-14

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

insane

3324 posts

Uber Geek
+1 received by user: 1006

ID Verified

Trusted

2degrees

Subscriber

#884094 25-Aug-2013 01:13

Zeon: If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)

Arent they both owned by the same parent co? If so that reporter might want to sign up to trademe jobs.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#884114 25-Aug-2013 08:38

Check if there's a secure iFrame within the page. Also check the form submit tag to see if it goes to https. I'd be very very surprised if it wasn't done technically correctly, but lack of customer confidence is significant.

Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#884125 25-Aug-2013 09:30

timmmay: Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.

I will use "secure" in this context as SSL-based encrypted.

If there's no iframe then that page is insecure for reasons I will come later, regardless of the form submission going to a secure page or not.

If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok.

If the billing page is inside an iframe and the billing page inside the iframe is not secure and the form submission goes to a secure page then it's not secure.

The reason for that is because in case the billing page is not secure the contents of this page could be easily modified by an injected script - either changing the details of where the form submission destination is, or simply copying the contents of the form when the use clicks the submission button.

This injected script could come from either a malware installed on the client's computer or a transparent proxy modifying the page - remember the proxy can see the contents of any non secure page.

So, yes, check that the billing page is secure (either if it's the original page or an iframe content) and the form submits to a secure page, otherwise it's not secure at all.

That's why I removed the login fields from all Geekzone pages and now theres' a "click to login" button that redirects to our SSL-based login page.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#884138 25-Aug-2013 10:12

Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#884144 25-Aug-2013 10:35

timmmay: Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

This is where I said "If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok."

All other cases are not ok.

timmmay: Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.

It should. The whole page, the iframe (if any) and for submission. I haven't used that for ages so I won't be able to test, the OP is the one that will have to tell us (or someone else using that page about now).

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

AliExpress

Shop now on AliExpress (affiliate link).

sleemanj

1514 posts

Uber Geek
+1 received by user: 315

#884157 25-Aug-2013 11:06

Just had a look, not ssl secured, not in an iframe, and even worse does not appear to submit to an SSL url.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#884159 25-Aug-2013 11:21

Someone should probably point this thread out to trademe... does anyone know how to get to someone worth talking to, rather than front line customer support?

troyhunt

2 posts

Wannabe Geek
+1 received by user: 3

Trusted

#884178 25-Aug-2013 12:20

Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.

troyhunt.com

nickb800

2735 posts

Uber Geek
+1 received by user: 829

Trusted

#884192 25-Aug-2013 12:35

troyhunt: Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.

Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

1 | 2 | 3 | 4