Trading Eye - beware

[familychoice]

I bought a copy of Trading Eye a few months back, as some may remember, and despite a lot of negative feedback on their company forum there was also a lot of positive comments so I took the plunge.

It was nice to work with, though you could tell that the original code had been hacked about in recent months. Layout wise though it was a pleasure to use.

Our clients site went live a month ago and was hacked almost immediately. I removed the dodgy code inserted by the hackers, changed passwords for everything but a few days later it was hacked again so I removed the dodgy code again and password protected the site.

I contacted support but heard nothing back, then tried the forum which had a lot of friendly and helpful users on there. It was locked.

So I chased up support again and he (it's just one bloke now, it seems) pointed me to their new company 'forum'. I couldn't login using my old details or customer ID, and after requesting new details was finally able to login. The 'forum' consisted of three promotional posts by the company. So as well as sending another support request I posted on the forum to check to see if anyone else was having issues. It took them/him four days to respond to my support request fully, and my forum post was deleted.

This was the response from support to my request for help after my site had been hacked twice within a week:

Our software is as safe as any other on the market. We're open and honest about the security risks. If someone wants to break into NASA or the Pentagon systems, they can and occasionally do. Banks are also attacked regularly and sometime retails stores. But these cases are extremely rare and require a lot of computational power and skill. It's far more likely that some files were just corrupted.


I hope this has provided answers to your satisfaction. If you have any additional questions, please update this ticket.

I tried to update the ticket but was told:

Your request (#4562656) has been deemed solved.

So I opened another one and asked him to please check our site and confirm that the software is secure so we can put our clients site back online. He didn't check our site but eventually replied:

We can confirm that TE has no known security issues.....We're confident that this is due to a weak password or just a virus. 

Yesterday we were sent a major security patch as it seems everyone else's sites had been hacked too, including the company website, and it seems the security issue matches the issues we had with our site. The 'forum' has come alive a bit now that other customers have found it, and I posted on there asking if this was the same issue that I'd had with my sites.

Post deleted, account suspended so as well as ropey support I can't get help via other members if I need it.

Just posting this in case anyone is thinking of using this software. Obviously considering the experience I've had above, I wouldn't recommend it.

[Dom]

I fell sorry for your woes - you don't seem to have a lot of luck with things like this!

I hate hearing stories like this. It just highlights how many cowboys there are out there, and how many people are willing to take people's money for a sub-standard product, and not even admit when there's a problem.

[Charisma Bypass]

Quite probable that the way you go about things lends itself to vendors just wanting to be rid of you.

If it quacks like a duck, and walks like a duck and all that.

[sarahA]

To be fair to FC I've looked at the code and there is no security for the login procedure at all. It takes any GET or POST array, merges it into an array and then chucks that at the authentication function which simply does a

select whatever from somewhere where username = 'the username entered with no escaping/sanitising' and password = PASSWORD('no other escaping, probably not needed here but not very secure anyway, salted would be better')

Their fix, instead of maybe investigating the likes of mysql_real_escape_string() and/or salting the password, was just to do a string replace on ', ", < and > and encode them.

A typical scenario of the script/software written before thinking about security and now it's a bit large to improve security when there's only one or two developers working on it. Downside to paid for software. My guess is they knew there was a problem, they just didn't want to admit it or have others see that there was until they were overwhelmed with complaints or could figure out how to combat it.

To be honest, they've fixed one small aspect. If they're not escaping the inputs for the login, it's likely they won't be escaping other content. They're relying on magic quotes being on, which is now off by default on most PHP installs.

[Charisma Bypass]

Quite probable that the way you go about things lends itself to vendors just wanting to be rid of you.

If it quacks like a duck, and walks like a duck and all that.

Oh just screw off you prick.

[sarahA]

Email them an affiliate link to http://www.amazon.co.uk/Architects-Guide-Security-Step---step/dp/0973862106/ref=sr_1_5?ie=UTF8&qid=1310744459&sr=8-5

[familychoice]

Email them an affiliate link to http://www.amazon.co.uk/Architects-Guide-Security-Step---step/dp/0973862106/ref=sr_1_5?ie=UTF8&qid=1310744459&sr=8-5

 

I've had a reply from them saying I "must have been suspended for breaching forum policy". Since there isn't one visible on their site I've asked them to provide a link to it and to state exactly what I wrote to warrant such drastic action.

Because of the forum ban, I can't access any part of my account. So I can't download software updates (which I've paid for), documentation, and I can't access their support centre.

[suedenem]

Whilst TE was inept by not sanitizing inputs, it is right it says that all software and systems are prone to potential security flaws.

When evaluating new software, I always search for "softwarename vulnerabilities".  I don't mind vulnerabilities cropping up, provided that they are patched quickly and that the same problems don't crop up time after time.  Furthermore, it's worth subscribing to some of the various security bulletin emails, which will give you early(ish) notice of vulnerabilities in the wild.

To be fair to TE, it did appear to release a patch within a few days of the vulnerability being discovered.  That's likely to satisfy Trading Standards that they've met their obligations.

[familychoice]

To be fair to TE, it did appear to release a patch within a few days of the vulnerability being discovered.  That's likely to satisfy Trading Standards that they've met their obligations.

They didn't, I reported the vulnerability a month ago but they refused to investigate it and I have a series of emails to prove this. The hacks I suffered were identical to the new issue, so if they'd met their obligations and investigated my support request like they should have then hundreds of websites would have been saved from this recent attack.

I can see why my presence on their forum could cause them embarrassment, but it hardly warrants the removal of my access to support, software updates and account information.

[suedenem]

Did your really report the vulnerability - as in did you identify the precise shortcoming and present a security report - or simply that a site with a TE installation was compromised?

It does sound like their 1st-line customer support has reached its limit with you.  Have you tried escalating the problem further?

Good luck with Trading Standards.  Do they normally deal in the B2B arena, where caveat emptor holds more truth, or would it be something you'd have to pursue through the courts yourself?

[familychoice]

Did your really report the vulnerability - as in did you identify the precise shortcoming and present a security report - or simply that a site with a TE installation was compromised?

I told them as much as I knew and provided them with FTP and cpanel access. As far as I could tell from the logs no-one checked and they confirmed that there were no issues with their software.

It does sound like their 1st-line customer support has reached its limit with you.  Have you tried escalating the problem further?

As I don't have access to the support centre I can only reply to previous contacts, one of whom is the director. To be honest I think there's only two people there anyway and they have refused to restore access to my account.

You're probably right about Trading Standards so I'll look into the legal aspects.

[familychoice]

I think Trading Eye have pretty much banned everyone from their forum now, there's just the odd post asking where everyone has gone. A quick search on Google though still shows hundreds of hacked sites so I would have expected at least a couple of posts from their customers but there's just the odd anguished cry for help:

Where has everyone gone?  Is everyone sorted now?  I've received zero help from TE over the past 7 days.

[familychoice]

It's been an interesting week or so on the Trading Eye 'forum'. Lots of angry and upset posters but the majority have been providing help for members left without support. The more savvy members have also been bug-fixing the fixes, and alerting (by posting) members to changes in the 'fix', as the company are simply changing their original post without alerting customers to their updates.

They've now closed comments on the thread so there will be no more community help from members, and no alerts to security updates.

Here's a few comments from the past week:

I am somewhat exasperated as I have repeatedly informed TE from the beginning that their fix is following the wrong technical approach and will have undesirably side effects.

Thank you so much Trading Eye, these fixes have worked a treat. In fact, my site is now so secure that customers can't buy anything because the order review page doesn't load. Excellent. As ever, the problem rears itself at 6pm on a Friday, so that'll be a whole weekend's sales lost. Thank you. No really, it's not like I need to make a living or anything.  Words really cannot describe how frustrating it is trying to run a business using tools and support such as yours.

No doubt the last ten days have been fairly hellish for you, but do you not have an ounce of shame that you've let Paul Gregg clear up most of your mess out of the goodness of his heart, (thanks Paul) despite the fact he doesn't work for you? It's a good job he doesn't, he'd stick out like a sore thumb, what with being helpful and everything.

The lack of communication and assistance from DpiVision/TE is absolutely appalling.

they claim to 'have notified all clients on account' but I can say that wasn't the case with my client. I only found out  yesterday from the client themselves after their site had been at the mercy of the hackers for almost 7days. Unsurprisingly the site was completely compromised and is currently offline.

Disgraceful.

[sickpuppy]

Why doesn't someone set up an unoffical forum where users can discuss their issues and provide unofficial fixes?

[familychoice]

Why doesn't someone set up an unoffical forum where users can discuss their issues and provide unofficial fixes?

Maybe it's because a lot of people have had their access blocked and can't communicate with other members, for all I know there could be one going already. Community support is essential for software like this, regardless how good (or bad in this case) the official support is. Maybe they're too busy fixing their hacked sites every day and fielding calls from angry clients or customers to set one up.

The old TE forum was excellent and I received loads of help on there before it was closed. The new forum isn't really a forum at all, more of a glorified corporate blog so yes, there definitely needs to be something set up.

It's a shame as there are some really helpful community members out there, which was a big part of the reason I bought it. There really couldn't be a worse time to block access to community support.

[linesandlines]

First Trading Eye forum refugee reporting for moaning duty. Evening, all.

[familychoice]

First Trading Eye forum refugee reporting for moaning duty. Evening, all.

lol, welcome

I've heard they've banned everyone now.

[linesandlines]

It's like Animal Farm. (The book, not the film or else we'd be in serious trouble)

Wanna see what they said when I warned them about impending hacks on July 12?

This in response to forwarding a weird mail to them that I'd received from a guy warning about hacks & attaching a current screen shot of the admin panel:

"This has been escalated urgently for our development team to sort. As with all random free emails you are wise to be wary, however, it does seem to be the case on your site. At this stage we have no idea why or how, and which versions this goes back to or if it affects other customers. We will get this fully tested and fixed with the most urgent priority and will let you know in due course.

Although you have no requirement to at all, it would useful to us how they came across this? Are they customers? Friendly hackers? I would also ask them to not divulge this to the public until we have a fix.

I hope this has provided answers to your satisfaction."

[Steve Lampkins]

Don't be fooled by the so-called family's choice - check out the avatar!

[linesandlines]

OK, that's the newbie thoroughly confused. Nice to see that this forum abides so strictly to standard etiquette.

[robwhizz]

Don't worry, Steve confuses most normal folk. He used to run an entire corner, but it got shut down on health and safety grounds (though we should probably blame Dom for that, but I digress..).

So, getting back on topic, is the forum still running?

[familychoice]

So, getting back on topic, is the forum still running?

I've been told the thread is closed for comments now, so members can't ask for help or bug-fix the fix (which they've done, several times), and their notifications were useful for me as members would alert other customers to updates and list what had been changed.

I can't access the old thread now as it's members only and I'm suspended (still haven't been told why, or shown a copy of the terms I've supposedly breached), so I'm not sure whether the thread even exists. It seems to have been replaced by a static notice, so customers are expected to continually check this page for updates if they want to keep the software they've purchased from being hacked. At the moment it's still not secure and the 'fix' apparently causes a series of major side effects.

From what I can see on Twitter other customers have now been banned as well, and are starting to talk to each other and share their bad experiences. The general consensus seems to be that they're not receiving any responses to their support requests, they're suspended from the support website, and the new fixes don't work. There have also been a lot of requests for better software recommendations.

I don't think it's possible that a company could have handled this situation any worse than this.

[sickpuppy]

Now there's two of you here does this make this forum a safe haven?

Welcome Trading Eyers!

[robwhizz]

I don't think it's possible that a company could have handled this situation any worse than this.

Sounds like it's a case of burying their heads in the sand and hoping it all blows over. Not a good tactic for dealing with paying customers. Especially when I would bet a good chunk of their business is existing customers buying for new projects.

[ApricotStudios]

Another Tradingeye'r, or should I say ex-Tradingeye'r, checking in.

Suspended / banned from their support forums for daring to complain as well. 

[familychoice]

Another Tradingeye'r, or should I say ex-Tradingeye'r, checking in.

Suspended / banned from their support forums for daring to complain as well. 

Welcome

I don't think it's possible that a company could have handled this situation any worse than this.

Sounds like it's a case of burying their heads in the sand and hoping it all blows over. Not a good tactic for dealing with paying customers. Especially when I would bet a good chunk of their business is existing customers buying for new projects.

It's a case of a company developing a good bit of software but then not maintaining it properly or investing in proper support, and ignoring warnings from clients when they raise issues about it's security. Then when that all blows up in their face it's a case of treat your customers like crap and see if they can find someone to patch it up as cheaply as possible.

I've been looking for decent shopping cart software for years. If they'd behaved professionally during this issue I would have stuck by them and bought more copies as I acknowledge that software of this nature can be compromised and might need fixing. The mark of a good company is the manner in which they deal with security issues and the speed in which they do so. Trading Eye are failing spectacularly on both counts.

[sarahA]

Who needs TV when you have threads like this  Sorry, by the way, to hear you're all having a harsh time. Maybe someone could post up the typical features of TradingEye and someone with a lot of off the shelf e-commerce knowledge may be able to suggest a suitable replacement. Obviously I don't know how much work would be involved for that but I'm sure anyone here who can help with suggestions and support will do so

Just out of interest, was it a one off payment for the TE software or ongoing for their support/releases etc.? If the latter I presume you've all blocked future payments!

[Jem]

It's a case of a company developing a good bit of software [..]

If Sarah's right (and I have no doubt that she is) and they passed unsanitised / unchecked data straight to the login query, that's not even close to good software ... that's a n00b error.

[sarahA]

It's a case of a company developing a good bit of software but then not maintaining it properly or investing in proper support

But the problem is that it was badly coded to start with. It looks to me like they've read all the books on PHP, OOP etc. but none on security. Don't get me wrong, my first ever PHP site (or two) had no security or sanitisation in and even now I have to try and think like a hacker/cracker to ensure everything is as secure as possible, but that was also 8-9 years ago and they were single build custom built sites so less likely to get targetted (and of course once I knew how to secure them I did!). However these guys have written some all singing all dancing software and not even secured the mysql inputs for the username for logging into the database and sold it over and over again.

In fact from what I remember, they also didn't even check on posted variables as they just pull everything from the REQUEST array (which combines get, post, cookies and session (I think)) and puts it into one array.

[sarahA]

It's a case of a company developing a good bit of software [..]

If Sarah's right (and I have no doubt that she is) and they passed unsanitised / unchecked data straight to the login query, that's not even close to good software ... that's a n00b error.

From what I could see, they read the _REQUEST array into an array, passed that through to a function and then pulled the username out and inserted it into a mysql statement. No where could I see any security. Which is why they suddenly released the fix which just did a few eregi() on single/double quotes and I think hyphens, underscores. But only on the username and password. If there was even basic addslashes() security, they wouldn't have needed to fix quotes I would assume.