A few months ago while looking for an arborist my wife listed the job on NoCowboys.co.nz, a New Zealand website for finding and rating businesses. Because of the way jobs are manually checked before appearing on the site there is a delay after submitting before you can tell if it worked. While I was trying to work out why the job hadn’t appeared on the site yet I happened upon a gaping hole in their security which enabled me to edit any other job on the site as well as see all the correspondence between clients and businesses. Most of the correspondence is either the client giving their address or the businesses providing a quote. Obviously giving out an address is not great, but the quote can be harmful too. While I couldn’t change what the quotes were, I’m sure businesses would find it useful to know what the competing quotes were before providing their own one. It’s also possible to reply on behalf of the job-lister, and thus turn down quotes to ensure yours was the only one that got through. But this is only half of the site. The other half is being a business. If they have the same lack of security on that side then it will be trivial to edit the quotes from your competitors and destroy their reputation by adding a few swear words here and there. I haven’t been able to verify if such edits are possible because it costs $299NZD to register and I’m not paying for the privilege of checking their security any more than I already have. Still, I’m prepared to assume that if it is the same developer across the site they’ll have made the same basic mistake everywhere.
; ; ;Before I explain what this mistake is I should point out that I emailed NoCowboys about this in July, and again in October. I told them exactly how to perform the hack and suggested the cause and a fix. I have heard nothing from them and they haven’t fixed it. Hopefully by putting this in the public domain they’ll take more notice. Who knows, maybe we’ll see a listing under their Computer and IT Security section.
; ; ;So finally, what is this hole then? It’s simple, staggeringly simple. You need to register first and then login. If you had listed a job you could go to the edit page, or use this URL as an example: http://www.nocowboys.co.nz/jobs/myjobs/XXXX/overview-v2 except instead of XXXX you’d have a job number. All you need to do is change the job number to the one you want to spy on and you’ll have full write-access to that job. The only security check they do is that *someone* is logged in, they don’t check who is logged in. Authentication but not authorisation.
Update : Oct 20th
It gets worse. The whole point of NoCowboys is to see opinions and ratings from other customers of the business you’re looking at to decide if you want to use them. So it’s not good that businesses can edit any review on the site. All a business needs to do is use this URL as an example and fill in the review number they’d like to edit. http://www.nocowboys.co.nz/edit-my-rating/XXXX.
NoCowboys have contacted me and are working on a fix. Apparently the contact email address wasn’t working so this was the first they heard of it :/
Update 3: Oct 21stNoCowboys have fixed the problems. That was pretty quick from when they first read my messages. If it hadn’t been for the faulty feedback form on their site they would have had enough time to fix it in private and the world would never have known.