Screenshots

Hi Jeff, off-topic but I have to tell you that I enjoy reading your blog very much. Please keep up the good work and stand strong.

Back to the topic. I'm neutral, not affiliated to both of these ad networks. I write php for some extra pocket money.

You guys are worried about the password. There's one simple test to verify the security strength. I'm not registered to any of these 2 sites. You guys have to test it out yourself.

Go to the "Forgot Password" section, request to send the password to your email. There's gonna be 2 situations.

#1 - The password is reset and new one's sent to your email. This is a good sign, because the value in database is hashed. This is one way trick, the system can't reverse it, therefore generate a new password upon request. It does not guarantee 100% unbreakable if someone gets hold of the database, but the strength is stronger.

#2 - Your original password is sent back to your email. There are 2 possibilities here. a) the system encrypts the password value and stores in database, decrypts it upon request. b) system stores password value in plain text.

#1 is safer, if the site owner informs every user if anything goes wrong. You still have time to change your generic password in other places.

#2-a is considered safe, if the encryption key is not in the database.

#2-b is bad. A database admin can get your password easily.

I'm not sure how's the form validation of advertlets, but it seems more improvements can be done. Allow recurring emails is bad.

I personally do not like this kind of uninvited review of the blog owner above. I know that traffic is important nowadays. But the common practice is to inform the site owner if you find out something's not right. You don't have to step on someone else to stand out.

I sincerely hope this is not some kind of dirty competition too, there's still a lot of space for online advertisement industry in Malaysia. Don't kill the baby in the cradle .

JEFF OOI says: Thanks Yien Bin for your valuable input. Agreed with you fully that we could share knowledge and experience for common good -- especially for the bloggers community.

Hi Jeff,

The site was pretty much too slow/down since your post.

This probably looks like a scripting issue.

The most common mistake a programmer would make is not double checking before updating, especially sensitive information.

The other would be simply sql injection. (read from google)

Consider this concept:

To add a record in the database:

http://abc/add.php?id=123&name=Avan&pass=yey

This is normally done in the POST method & hidden from the user, but nevertheless it would work with PHP/JSP/CGI by default.

With not checking the session or auth users again, the record could be added easily.

Now consider this:

http://abc/update.php?id=123&pass=YOUR_NEW_PASSWORD

This would actually change the password, the same way as above.

However, life is not simple & sessions are normally in place.

A hacker would simply 'steal' a session & simulate the same request, as most programmers missed the part of other services of the network may use the same type of session.

I hope this helps.

regards

JEFF OOI says: Thanks chief.

@Yien Bin
I recorded a video to answer your comment. Together with some 'proofs' of what I claim.

What you mentioned about the 'password recovery' thing is great. Unfortunately, my lack of experience has prevented me from 'testing' it earlier. However, in the video I did show how their 'password recovery' function works.

http://www.tenthofmarch.com/2007/04/14/my-first-video-reply-to-a-comment/

Hope the video explains it all. Do leave a message if you have any further doubts or questions.

One thing I did not answer/reply in the video is this. I am not a real-life reporter or journalist. But IF I were one and there is a 'hot news' happening some where, I WILL be there.

Nuffnang and Advertlets have been the 'hot topic' among bloggers these days. Therefore, I believe I did nothing wrong by trying to gain some traffic by reviewing them. I did report my findings based on pure facts and research. None of the things that I reported are 'made up' -- if you know what I mean.

Hi All,

This is Josh Lim from Advertlets.com.

With regards to the security, we're happy to say that Advertlets is secure, and not vulnerable to the issues mentioned above. Although we are still in beta (recently launched since the 9th of March 2007), we take the protection of your personal data very seriously.

We would like to clarify that the alleged "vulnerability" is nothing more than a minor inconvenience at most.

The "verify password" field is typically used to make sure that users don't enter their passwords wrongly, hence it is to provide a facility to the users to make sure that they can type their password correctly more than once (thus, making it more likely to be typed correctly).

At the very most, the worst thing that could happen to you is that you mistyped your password the first time and cannot login, in which case you would either have to create a new account or contact us to reset your password. And if you can't login in the first place, you can't input your personal details either.

So, "verify password" is merely to make sure that you, the user can spell your password correctly, and it has no effect on the encryption or security of your password, or your user data. We will be fixing this minor inconvenience shortly, but be assured that it has no effect on the security of your data.

As Advertlets is in an early stage of launch, we always appreciate feedback from our users, and we use it to improve our service. In fact, we even go as far as to pay people to give us detailed reviews of our service, and constructive criticism.

However, as Yien Bin said earlier, the "the common practice is to inform the site owner if you find out something's not right. You don't have to step on someone else to stand out."

We believe if TenthOfMarch sincerely wants us to improve our service and is concerned about security, he would notify us first, not obsessively blog about it in the aim of increasing traffic to his very new blog.

TenthOfMarch is making claims based on faulty reasoning, without providing any solid proof.

Most unethically, he is attempting to create a claim by the means of linking together unrelated things, in the hope of scaring off non-tech savvy bloggers who might not understand, from using our service. As he himself admits on his own blog, he has no solid proof of a vulnerability however, he still repeatedly claims that there might be one.

Also, while TenthOfMarch would like to claim he is unbiased in his efforts, it is evident whose side he's on - from the banner on the right sidebar of his page of the competing service, and his claim that "this Nuffnang banner ad rocks!" (complete with a picture of his own hand adorned with Nuffnang's mascot on his blog)

Most unfortunately though, TenthOfMarch has taken his critique of Advertlets to a very inappropiate personal level, including threats of personal violence towards me (Josh Lim) in public blog comments: (scroll down)

http://bosslepton.blogspot.com/2007/04/nuffnang-vs-advertlets.html

"I swear I would have ripped off his head from his shoulders if there were no laws in this world."

I believe that the mantra of "protecting bloggers" also applies to the restraining or condemning bloggers who attack other bloggers. While everyone is entitled to their own opinion and to voice it out, it is not fair to incite, or promote physical violence against others. Neither is it fair to make and publish baseless claims against others, and pretend to be unbiased.

And well, perhaps this will give you a clear idea of what kind of person TenthOfMarch is. It also remains to be pondered why he does not blog using his real name.

We are committed to providing a great service, and are nothing short of amazed as to how much feedback the service has garnered. We understand that there will be some negative points too, along with the more positive ones, and we will keep all of them in mind in continously upgrading our service and improving upon what we do.

In the meantime, we are already serving ads and sponsored reviews, across multiple blogs (visit our site at www.advertlets.com for more details) and you are invited to participate in our service. Rest assured, we already survived a DDOS attack and intrusion attempts - and emerged unscathed.

We are in one of the most reliable, secure datacenters (perhaps even the best) in Malaysia and we can attest to the security of our blogger and advertiser clients. We look forward to answering any questions you might have.

I have done some basic SQL injection test this morning, and it seems to be quite secured.

So there's nothing to be worried peeps.

Cheers.

Josh, I thought our 'never-ending-brawl' has ended? Why restart it here?

Our earlier brawl started in my blog after I somehow found evidence that DevilsAdvocate was linked to you, didn't it? I do not want to start another one here. I have decided not to reply to any of the accusations you have on me.

Josh, you don't have to attack me in front of everyone. You have been on TV3, 8TV, Astro Ria, NTV7, The Star, The Edge and probably 10 other sites.

On the other hand, I don't even have my photo, full name, IC Number, driving license and birth certificate in my blog. I have told you a few times before, I am just a small-time blogger. No one will ever believe me. My comments and blog have no 'weight'. You don't have to hit on me so hard.

I do not use my name in my blog but that doesn't mean what I am writing are lies. I am fully aware that I am responsible for every detail that I publish in my blog.

from what i can tell from this recent fiasco, i think you tenthofmarch have put up some good points, but please give it a rest.. you don't have to continously make a point.

nuffnang and advertlets both need all the support the malaysian blogosphere has to offer since they are the only two advertisers catering to our needs, its seems that most things you've mentioned have gone out of proportion when other people misunderstand it.

We as bloggers shouldn't make speculation public unless there is real strong evidence to suggest so.

I think both bloggers will have to keep a grip on themselves.

Slugging of threats and arguing on the fundametal right of bloggers are clouding the issue here.

The issue is Advertlets.

Josh, keep to what you know best - ie. improve your website and business. There is little point in arguing with TenthofMarch. Your service is to your customers. If you satisfy your customer, it's a job well done. Stay focused. Be prepared for criticism - constructive or otherwise. Defend if you must, but remember - the effort is way better spent on satisfying your customers.

TenthofMarch, keep on doing your stuff. If you think it keeps you going, good for you. But remember, you are a critic. Be prepared for the hits. It's part and parcel of what you do. Don't bother going to such extend in proving your sincerity or "truth".

If you write sensibly, ppl will appreciate and believe. You do have to give credit to your readers.

So guys, go back to doing what you know best. Don't even start talking about bloggers right, slandering and stuff. These are wider issues, beyond your comprehension at the moment.

Stick to your guns and I wish both of you great success as you represent the next generation of thinkers in Malaysia.

In creating Advertlets, a system to make money through your blog, we were aware that there are definite data privacy and security concerns, especially when it comes to trusting a third party to keep your personal details and password safe. In light of this recent invitation to tech savvy members of the public to test the security of our system, and try to exploit any vulnerabilities they might find, we would like to post what happened subsequently.

We did not expect this to happen - however, we and our system were not unprepared.

We first heard of the news through our RSS feeds, and 1 phone call from a friend. So, 2 members of the team stayed awake throughout the night to watch what people would do, and react as if needed. We kept track of what was happening - about 16 dummy accounts were created on the system from unique IPs, our hits rose drastically, and attempted
intrusions were detected from Malaysia, Indonesia & Singapore.

From our logs, we could see as various methods were tried: SQL injection, brute force attacks, URL guessing, and social engineering. The last method was a rather interesting, if futile attempt - someone pretended to be one of our more popular bloggers and requested us to reset their password, apparently having forgotten it. The e-mail header was spoofed to make it seem like it was a actual e-mail of that particular blogger, but we noticed that the reply-to address was another address entirely. To be sure, we checked with the blogger in question, and found that it wasn’t an actual request.

In summary, throughout all the intrusion attempts, no intruder got to do anything further than creating a few fake accounts on our system, which were easily cleared. So, there was no compromise of security at all.

Our current security system has now been proven effective in a trial by fire - so yes, Advertlets.com is indeed secure, and we can vouch for the protection of your data and password.

However, we will leave no stone unturned in our quest to take Advertlets further, and look forward to rolling out additional revenue and security features for our users, especially as our user base grows and we get more popular. Do let us know if you have any further questions, and thanks for your support!