Wheedle: What went wrong?

I know it’s been a while since I last posted here, but let’s just move past that for now, and get to the bit where I talk about…

Wheedle

Last week I managed, by chance, to get a sneak peek at the site before its official launch yesterday. It actually looked pretty good on the surface; obviously borrowing heavily from Trade Me, for better or for worse. There were UI quirks here and there, but it looked fairly polished, and performed exceptionally fast (as it should under pretty much no load).

Yesterday, however, it became apparent that you didn’t have to scratch very deep to discover some alarming issues; the two of note being:

• A huge security flaw:
  • users had their password emailed to them.
  • registered users had their username and password stored locally in a cookie, in plain text.
• Sensitive URLs were exposed, e.g. you could determine/guess the URL to edit the details (reserve, buy-now, etc.) of anyone’s auction. Auction edits weren’t authenticated. (thanks @ruatara)

…and I would be very surprised if there aren’t a great many more issues.

Now, there’s been abundant commentary on Twitter, and in other media, about this rather large balls-up.

Insufficient server capacity

Some have said (ill-informedly) that excessive load due to launch has been causing issues. Wheedle’s claims of 40 on-shore servers, if true, would mean load, even at more intense launch levels, would not be an issue. Geekzone are serving nearly 7 million pageviews per month off one server.

Wheedle’s boast of 40 dedicated IBM-supported servers drew some scorn. In this day and age, they should probably be using some sort of scalable platform where server capacity can be increased (and reduced) dynamically as required.

Inadequate pre-launch testing

Wheedle GM Carl Rees claimed the problem was due to inadequate pre-launch testing.

He has no idea. The username/password flaw is inarguably a design fault. I’m sure it would have tested fine, but this is just not how you handle site security at all.

The issue with exposed guessable unauthenticated URL routes is indeed a pre-launch testing cock-up – you can easily automate that stuff, but behind that, it’s primarily a code design/development issue. That stuff should simply not happen.

Bespoke platform

Some have criticised the decision to build from scratch, instead of building on an existing proven product. This might be a valid claim up to a point; it would almost certainly have prevented the security issues they have.
In my experience, however, building on an existing product gets you only so far before it starts to become the problem. In my experience, even building with the more flexible frameworks like Symfony or Ruby on Rails, you’ll always get to a point where you have to start replacing the pre-built stuff to better suit your app’s needs.
I don’t think you’ll find too many large scale web apps that aren’t effectively built from scratch.

Scorn

An inordinate quantity of scorn has been directed at Wheedle. Some of it might be warranted, but it probably went a bit too far.

I feel immensely sorry for Wheedle’s Rich List backer, Neil Graham. He must be hurting pretty bad.
He had a noble idea – to unseat Trade Me, which is increasingly taking advantage of its monopoly on the online auction market in NZ – and he had the resources (well, the cash, at least) to do it.
He did, however, lack guidance and expertise – which is not that hard to find, really, and leads me to my next point…

A lot of people have also scorned Wheedle’s use of off-shore developers. NZ has a massive resource of incredibly talent web developers, and it’s a shame they weren’t put to use here. This is a good point.

Plenty of others have written plenty about Wheedle already, so I’m going to finish up here.

A great idea, but woefully poorly executed. I think a lot of people have learned many things over the last few days.