Trade Me unsecure?

Forums › Off topic › Trade Me unsecure?

grasshoper

149 posts

Master Geek
+1 received by user: 2

Topic # 128830 24-Aug-2013 23:21

Maybe I'm way off here, but I went to buy something off trademe tonight and noticed the form where I enter my credit card is unsecure... as per this pic:

Does this matter? or am I just noob

(edit due to anal english police)

1 | 2 | 3 | 4

5565 posts

Uber Geek
+1 received by user: 251

Trusted

Geekzone

Lifetime subscriber

Reply # 884068 24-Aug-2013 23:21

Hmmmm. Here we go.

I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

NonprayingMantis

6434 posts

Uber Geek
+1 received by user: 1571

Reply # 884071 24-Aug-2013 23:26

Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.

1080p

1332 posts

Uber Geek
+1 received by user: 152
Inactive user

Reply # 884077 25-Aug-2013 00:15

NonprayingMantis: Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.

One definition: Inadequately guarded or protected; unsafe

The words are effectively synonyms.

1080p

1332 posts

Uber Geek
+1 received by user: 152
Inactive user

Reply # 884078 25-Aug-2013 00:19

I'm not able to confirm but I imagine there is some kind of sorcery that allows them to encrypt the payment information 'box' as it were.

TradeMe would be pretty silly to not encrypt their customers' personal information.

Kyanar

3040 posts

Uber Geek
+1 received by user: 466

Trusted

Subscriber

Reply # 884079 25-Aug-2013 00:19

2 people support this post

Most likely the form itself submits to a secure site, but Trademe decided not to bother encrypting the form where you enter the information. This is still very VERY poor practice, and they definitely need to fix it.

I would refuse to enter any details into the form and immediately contact Trademe with your concerns. They have no convenient way to do it, so I'd just submit it via their feedback form

Zeon

3415 posts

Uber Geek
+1 received by user: 405

Trusted

Reply # 884088 25-Aug-2013 00:34

One person supports this post

If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)

insane

2282 posts

Uber Geek
+1 received by user: 370

Trusted

Subscriber

Reply # 884094 25-Aug-2013 01:13

Zeon: If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)

Arent they both owned by the same parent co? If so that reporter might want to sign up to trademe jobs.

timmmay

14231 posts

Uber Geek
+1 received by user: 2575

Trusted

Subscriber

Reply # 884114 25-Aug-2013 08:38

Check if there's a secure iFrame within the page. Also check the form submit tag to see if it goes to https. I'd be very very surprised if it wasn't done technically correctly, but lack of customer confidence is significant.

Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

freitasm

BDFL - Memuneh
61519 posts

Uber Geek
+1 received by user: 12241

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 884125 25-Aug-2013 09:30

2 people support this post

timmmay: Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.

I will use "secure" in this context as SSL-based encrypted.

If there's no iframe then that page is insecure for reasons I will come later, regardless of the form submission going to a secure page or not.

If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok.

If the billing page is inside an iframe and the billing page inside the iframe is not secure and the form submission goes to a secure page then it's not secure.

The reason for that is because in case the billing page is not secure the contents of this page could be easily modified by an injected script - either changing the details of where the form submission destination is, or simply copying the contents of the form when the use clicks the submission button.

This injected script could come from either a malware installed on the client's computer or a transparent proxy modifying the page - remember the proxy can see the contents of any non secure page.

So, yes, check that the billing page is secure (either if it's the original page or an iframe content) and the form submits to a secure page, otherwise it's not secure at all.

That's why I removed the login fields from all Geekzone pages and now theres' a "click to login" button that redirects to our SSL-based login page.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management

timmmay

14231 posts

Uber Geek
+1 received by user: 2575

Trusted

Subscriber

Reply # 884138 25-Aug-2013 10:12

Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

freitasm

BDFL - Memuneh
61519 posts

Uber Geek
+1 received by user: 12241

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 884144 25-Aug-2013 10:35

timmmay: Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

This is where I said "If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok."

All other cases are not ok.

timmmay: Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.

It should. The whole page, the iframe (if any) and for submission. I haven't used that for ages so I won't be able to test, the OP is the one that will have to tell us (or someone else using that page about now).

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management

sleemanj

1255 posts

Uber Geek
+1 received by user: 161

Reply # 884157 25-Aug-2013 11:06

Just had a look, not ssl secured, not in an iframe, and even worse does not appear to submit to an SSL url.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

timmmay

14231 posts

Uber Geek
+1 received by user: 2575

Trusted

Subscriber

Reply # 884159 25-Aug-2013 11:21

Someone should probably point this thread out to trademe... does anyone know how to get to someone worth talking to, rather than front line customer support?

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

troyhunt

2 posts

Wannabe Geek
+1 received by user: 3

Trusted

Reply # 884178 25-Aug-2013 12:20

3 people support this post

Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.

troyhunt.com

nickb800

2055 posts

Uber Geek
+1 received by user: 358

Trusted

Reply # 884192 25-Aug-2013 12:35

troyhunt: Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.

Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

1 | 2 | 3 | 4