Posts Tagged ‘advice’

NoCowboys security failure [updated x2] [fixed]

Friday, October 19th, 2012

  A few months ago while looking for an arborist my wife listed the job on NoCowboys.co.nz, a New Zealand website for finding and rating businesses. Because of the way jobs are manually checked before appearing on the site there is a delay after submitting before you can tell if it worked. While I was trying to work out why the job hadn’t appeared on the site yet I happened upon a gaping hole in their security which enabled me to edit any other job on the site as well as see all the correspondence between clients and businesses. Most of the correspondence is either the client giving their address or the businesses providing a quote. Obviously giving out an address is not great, but the quote can be harmful too. While I couldn’t change what the quotes were, I’m sure businesses would find it useful to know what the competing quotes were before providing their own one. It’s also possible to reply on behalf of the job-lister, and thus turn down quotes to ensure yours was the only one that got through. But this is only half of the site. The other half is being a business. If they have the same lack of security on that side then it will be trivial to edit the quotes from your competitors and destroy their reputation by adding a few swear words here and there. I haven’t been able to verify if such edits are possible because it costs $299NZD to register and I’m not paying for the privilege of checking their security any more than I already have. Still, I’m prepared to assume that if it is the same developer across the site they’ll have made the same basic mistake everywhere.
; ; ;Before I explain what this mistake is I should point out that I emailed NoCowboys about this in July, and again in October. I told them exactly how to perform the hack and suggested the cause and a fix. I have heard nothing from them and they haven’t fixed it. Hopefully by putting this in the public domain they’ll take more notice. Who knows, maybe we’ll see a listing under their Computer and IT Security section.
; ; ;So finally, what is this hole then? It’s simple, staggeringly simple. You need to register first and then login. If you had listed a job you could go to the edit page, or use this URL as an example: http://www.nocowboys.co.nz/jobs/myjobs/XXXX/overview-v2 except instead of XXXX you’d have a job number. All you need to do is change the job number to the one you want to spy on and you’ll have full write-access to that job. The only security check they do is that *someone* is logged in, they don’t check who is logged in. Authentication but not authorisation.

Update : Oct 20th
It gets worse. The whole point of NoCowboys is to see opinions and ratings from other customers of the business you’re looking at to decide if you want to use them. So it’s not good that businesses can edit any review on the site. All a business needs to do is use this URL as an example and fill in the review number they’d like to edit. http://www.nocowboys.co.nz/edit-my-rating/XXXX.

Update 2
NoCowboys have contacted me and are working on a fix. Apparently the contact email address wasn’t working so this was the first they heard of it :/

Update 3: Oct 21stNoCowboys have fixed the problems. That was pretty quick from when they first read my messages. If it hadn’t been for the faulty feedback form on their site they would have had enough time to fix it in private and the world would never have known.

A reader writes

Monday, October 6th, 2008

I got an email last week from “an aspiring traveller” and it’s a question I’ve been asked a few times so I thought I’d share it.

Dear sir,
I am just curios as to how do you continue your travels and have ample budgets for your expeditions. I aspire to do just what you are doing now. I would like to know how do you earn your expenses along your journey.

and my response

Hi James,

If there’s a secret to my travels it’s being careful with my money and being prepared to be very uncomfortable. I take it you’ve seen both my American and Japanese walking sites. For those adventures I had almost no accommodation costs by sleeping in a tent, in temples in the occasional abandoned tunnel. The last 6 weeks of OneManWalking was traveling in a different style. Having a girlfriend along changes things because I wouldn’t want to put her in the position of sleeping in public toilets (a big fancy disabled one with my tent’s ground sheet below). So expenses went up dramatically. When I’m back home I try not to spend too much on things I can do free. I eat in as much as possible and rarely see movies at the cinema. I was really lucky to get cheap rent about 4km from my job so I walked that every day. It was good exercise and it saved me money.

In neither case did I deliberately earn expenses along the way. Once in America I was given a free room for helping spread wood chips at an inn-keeper’s prayer park and in Japan the locals were incredibly generous. Some people stopped and gave me fruit, some bought food from convenience stores and handed it straight to me and some even handed me cash. I never asked for it but they felt like doing a good thing for someone taking the time to see their country in a different way. There’s a similar phenomenon on the PCT called “trail magic”, people leaving chilli-bins (coolers) in the forest full of drinks and snacks, or doing other good deeds just because they like to. You should never get to a point where you rely on these things, be self sufficient, but be open to the idea that things usually work out pretty well.

If you do go traveling and write about it, let me know, I’ll be needing some good travelblogs for next year.

~Craig

I’m settling back in pretty well. On the job/house hunting circuits. I haven’t yet dug back into my code, I haven’t even gotten the latest version of Google Earth. But I will, and I’ll post updates to both projects when I can.