Tag Archives: SorryStateOfTheWeb

The Sorry State of The Web: 3 Group Special

It’s been around 15 years since I first came across Web Pages That Suck. Coming from a time when flashy Geocities-style websites were the order of the day, it was a web nitpicker’s paradise. This is where the term Mystery Meat Navigation (which I have written about in the past) was actually invented.

The very premise behind Web Pages That Suck, “learn good web design by looking at bad web design”, is something that has fascinated me back then, and still does to this day (in fact, it is one of the main reasons behind the Sorry State of the Web series).

Today, we will look at a family of related websites (belonging to a single group of companies) which I’m sure would qualify as first class citizens of Web Pages That Suck.

Enter MyKrypto

I first heard about MyKrypto on the radio. The ad described Bitcoin as a currency just like any other – and said that you could produce it! An old version of their website, which I obtained via the Google Web Cache, is along the same lines of the radio ad:

“Malta has the Euro, UK has the Pound and USA has the Dollar, the Internet has the Bitcoin. Bitcoin is digital and produced by computers..start producing money today!!”

While it’s true you can produce Bitcoins, this feels a lot like a scam in that it’s urging people to print their own money (in a way) without telling them about the risk or the difficulty involved in actually mining Bitcoins. In fact, the website also used to say that Bitcoin mining is a secure investment:

Whether Bitcoin mining is really a secure investment is debatable (although one can get an idea by looking at market crashes that have occurred in the past). In any case, while I’m not a lawyer, I don’t believe a company can legally give investment advice unless it is an authorised financial institution, especially without evaluating the risk portfolio of potential investors.

MyKrypto Home Page

The above selling points were removed, and the site transitioned into a different realm of madness. The site’s homepage had this image with Comic Sans text:

This was eventually replaced by the text image we see today:

Although the text changed, the link behind it remained the same. It’s basically a Google link (notice the URL) that takes you to this Satasoshi graphic on Deviantart:

So, in case it’s not clear, let’s summarise the fails that occur just within that little text image:

  • Using an image to show text with a particular font.
  • Using Comic Sans on what is supposed to be a serious website.
  • Linking to a Google search result rather than to an actual webpage.
  • Completely failing to understand what you’re selling (it’s a Satoshi, not Satasoshi, and the horse has nothing to do with it).

MyKrypto Mining Page

Let’s move over to MyKrypto’s Mining page. It now looks something like this:

While the image is totally out of place – and we’ll get to it – this is on the whole not too bad. Let’s take a look at what the previous version of this page (from just a couple of weeks ago) used to look like:

First, the title.

“What is minning?”

I don’t know. Perhaps this lovely lady might be able to answer that.

Image credit: taken from Wikipedia’s Minnie Mouse page

Next, we can take a look at the text.

“Do you look up for information on the internet? Did you ever google for a product or information? Did you ever wondered how google is so intelligent by search for the right information? Google is based on mathematical calculations. FIND X. Let’s say I want to google for ‘this week top 20 music list’ as you type in the google box and press search google, google will do all the calculations to find ‘this week top 20 music list ‘. this is called Math (Algebra) when we were at school we used to have the same problem solving; – FIND X.”

It is simply beyond belief how much crap these guys have managed to fit into a single paragraph. But beyond that, take a look at the image below that paragraph in the screenshot. It’s a popular joke that has been circulating for many years: a clueless student answered a mathematical problem in a witty manner. Of course, whoever built the MyKrypto website didn’t get the joke, and put the image there as an example of mathematics. Go figure.

List of fails in this section:

  • Terrible use of English (if it can be called that).
  • Google does not solve algebraic problems to give you your search results.
  • Don’t lie about what you used to do at school, if you evidently know nothing about English, mathematics, or computing.
  • Try to understand what an image actually means, before ripping it off.
  • Try to understand what you’re talking about in the first place.

MyKrypto Audio

MyKrypto automatically plays audio.

That’s something really annoying, especially if you happen to already be playing music. It’s also of questionable legality depending on whether the site has the right to distribute that music.

Besides, using some cheesy 70s disco background music – reminiscent of Earth, Wind & Fire – is totally not appropriate on a company website.

MyKrypto Mobile

Mobile users will be disappointed to find out that they can’t really browse the entirety of the site because the navigation is simply not available:

MyKrypto Plagiarism

To be fair, messed up paragraphs like the one we saw earlier are a rare sight on this site. In fact, a lot of MyKrypto’s content is blatantly stolen from other websites.

Let’s see some examples:

I think they should plagiarise more. It would make them look a lot less silly.

CEO Plagiarism

Of course, the plagiarism on MyKrypto makes perfect sense if we look at the LinkedIn profile of 3 Group CEO Dario Azzopardi (MyKrypto is part of 3 Group):

When I first read this, I thought it was really weird as a job description. So I Googled part of it.

Google did its algebra (!), and what do you know

…and further down…

3 Group: Questionable Stuff

Having seen all this, I thought it was just as well to check what else 3 Group actually do.

3 Group do IT Services, IPTV, and E-Money. That’s a nice name for the Bitcoin stuff we’ve seen above. They actually got the link wrong, and E-Money points to IPTV.

If we take a look at IT Services, we get to this horrendous page with a background animation driving you nuts while you try to read text with very bad contrast:

Further down that page, 3 Group are trying to convince people that free antiviruses are bad, and that they should instead pay 3 Group to install McAfee for them:

Towards the bottom, you can see some grey text representing a link to Intel’s homepage. Of course, they didn’t bother to actually make it a link that you can just click on. What’s even worse is that the superhero on the left is an image overlaid onto the text where the link is, so you can’t even select and copy it.

Right, what else do 3 Group do? Ah yes, IPTV. It’s interesting how they have this “Legal” page under the IPTV section, claiming that “IPTV is 100% legal”, and quoting some court case from the European Court of Justice.

This is noteworthy because:

  • Naturally, a company encourages trust by stressing that its services are 100% legal.
  • This company knows a lot about copyright, given the aforementioned plagiarism.
  • It claims that “watching streams even those which are illegal is not an act of copyright infringement”. So it’s ok if it’s illegal, as long as it’s not copyright infringement, right?

Well, they say IPTV is legal, so it must be true.

Image credit: taken from here

That’s curious, because I could swear I recently read an article about this Kodi TV streaming service being declared illegal across the EU:

Conclusion

While 3 Group’s web design is appalling at best, this is not nearly as worrying as their questionable business practices. As an exception in this series, I hope not only that web designers/developers learn from the mistakes we have seen here, but also that potential customers do some proper research and understand what these guys are actually trying to sell to them.

The Pitiful State of the Web in May 2017 (Part 2)

This article is a continuation of The Pitiful State of the Web in May 2017 (Part 1) and a part of the Sorry State of the Web series. I and the others who contributed to the content of this series hope that web developers will learn from the mistakes of others and produce better quality websites.

Dakar: Language Issues and Insecure Login

Dakar Software Solutions is a well-known name locally, especially in the realm of payroll systems.

They had this little glitch with the language of dates in the news of their Dakinet product (which might be fixed now):

Also, Dakar joins the long list of websites that offer insecure login:

Insecure Login Galore

As you can imagine, Dakar is not alone in failing to transmit user credentials securely. We’ve seen a lot of these before, and we have a lot more to show here.

For starters, we have Freelance Malta. Since all of the site is based on insecure HTTP, the login form and both registration forms transmit credentials insecurely:

Then we have Gizmodo, the popular tech website:

KeepMePosted is a similar offender:

And then we have MyMoneyBox (part of the MFSA family), which given its name should know better about security. In fact, it seems to have now gone HTTPS, so the login is now secure. But as you can see below, it wasn’t until recently:

Couchsurfing: Invalid SSL Certificate

I recently caught the Couchsurfing blog giving invalid certificate warnings:

Oops. Looks like the certificate had expired.

Needless to say, it is useless to use HTTPS if it is not trusted. Fortunately, this issue has since been fixed.

Malta Police Force: Passwords In Email, Freedom of Information Link

The Malta Police Force website offers a number of services including filing a police report online. At the bottom of the declaration where you’re about to file a report, there’s a link to the Freedom of Information Act:

Unfortunately, it doesn’t work:

That error is actually coming from elsewhere on the government network (looks like it’s the Department of Information). Either the Malta Police Force need to fix their link to point elsewhere, or the DOI needs to fix a problem in their SharePoint system.

There’s something a lot worse, though. Some people have reported that when you file a police report, you choose a password, which is then sent to you via email.

This image was contributed by someone who actually filed a real police report. Aside from various spelling issues in the email, you can see that the password (obfuscated here for obvious reasons) is included.

This is something you always want to avoid because you can never assume that email is a secure channel on which to send sensitive information such as credentials or credit card information. Good practice is to let users choose their password over a secure channel (which the system reportedly already does), store it securely using a one-way hash, and provide the means to reset it using limited-time tokens in case the password is forgotten.

Rizzo Farrugia – Broken Link For New Equity

When new shares under the symbol “PG” were listed on the Malta Stock Exchange, Rizzo Farrugia were quick to add it to their own list:

However, they were not nearly as fast at creating the detail page that the listing links to:

No big deal there. It was fixed the next day.

PWC Refresh Form

PricewaterhouseCoopers has this newsletter signup form. It has a reset button. Something pretty normal, you’d think, until you see that it refreshes the entire page!

Form resetting functionality has been built into browsers since long before I started creating websites (15 years and counting). In this case, I see they wanted to reset the CAPTCHA. But they already have functionality to reset the CAPTCHA without reloading the page (the orange round arrow next to the CAPTCHA), so why reload the whole page just to reset a form?

IDPC: Line Spacing

The Office of the Information and Data Protection Commissioner has a form where you can submit complaints:

What I’d like to call out here is the questionable design choice of using massive line spacing, which is especially noticeable in the Complaint text area since about half of the tiny box is wasted with empty space.

Line Separator Characters

JobsPlus, whose encoding issues we have already visited in “The Broken Web of March 2017“, is now also exhibiting these weird LSEP characters:

It’s okay though. Perhaps they can’t sanitise their data, but they still get to keep their eBusiness Award!

I have also spotted the same problem at Creative Jobs:

Summary

Transmitting credentials insecurely remains one of the most common issues on websites today, and it is completely unacceptable. Depending on the nature of the user account, this might not be as risky as transmitting credit card details insecurely (something we’ve also seen in abundance over the past few months), but that does not relieve websites from their duty as data controllers to transmit sensitive data securely.

It is also important to test websites properly in order to identify broken links and data-related issues as we have seen.

Finally, secure transmission of sensitive data does not stop at using HTTPS. SSL certificates must be integral and trusted, otherwise it is just as good as not having HTTPS. Email is not a secure channel, so don’t use it to send sensitive data, especially if there exist alternative data flows where you don’t have to.

The Pitiful State of the Web in May 2017 (Part 1)

Welcome back to the Sorry State of the Web series! This is a collection of bad stuff found on so-called professional websites, contributed by both myself and others who have submitted entries. It is sad to see so many fundamental mistakes being repeated over and over again, and by calling them out, we hope to promote better quality work in web development, and as a result, a better experience on the web.

Unfortunately, this month we are once again about to see a lot of security-related violations, including insecure login and credit card processing. We will also see a lot of negligence. Thus, without further ado…

Deal: Insecure Login

deal.com.mt, like many other websites we have mentioned and will mention, support registration and login over insecure HTTP:

You will also notice the strangely superimposed text saying “Please log into this app” below the Facebook button. Certainly not an artistic style I would want to imitate.

Careers in Finance: A Different Kind of Education

Careers in Finance, a pathetically designed website that seems to be part of MFSA, has this Warnings page.

The warnings page presumably takes you to a list of unrecognised training institutions. So when you follow the link, you get…

…this. Aside from the error page, you’ll notice a hilarious misspelling of the word “Universities” in the filename. Whoever named the file was evidently alienated by more… interesting stuff at the time.

Microsoft: Runtime Error Page

I noticed a similar runtime error when accessing a webpage on Microsoft’s own website. They could have handled this better.

The Malta Independent: Sneaky Advertising

The Malta Independent had this really invasive ad covering the whole site as you load it:

If you click the link at the top-right of the ad that says “Skip and Visit Site”, you are actually taken to the website that the ad is promoting, rather than just closing the ad and letting you read the online newspaper. What a sneaky way of raising advertising revenue!

If you wanted to just close the ad, you actually had to click the “X” at the top left, which is very easy to miss.

This shameful advertising mechanism seems to be gone now, thankfully.

Mediterranean Bank: Out With the Old, In With The Crap

Last weekend, Mediterranean Bank launched their shiny new internet banking platform, after a whole weekend of planned downtime for the changeover.

Existing users have to undergo a migration process, and this is fraught with flaws.

The first thing you see in this new system is a field requesting a “Client number”. The problem is, nobody has any idea what this client number is. In the old system, we used to use a username and various other fields, but no client number. And sure enough, if you enter something invalid, an error appears, telling you to enter your old username if you are using the new platform for the first time.

That would have been useful to have before you try to login.

After that, you have to enter your surname. So they made a whole webpage just for you to enter your surname (yes, full page reload).

To migrate your account, you have to enter all the stuff you used to have in the old system (understandably, because you have to be authenticated). That includes a secret question:

Now, using secret questions is already arguably very stupid in the first place. But not obfuscating the answer (which the old system did properly, by the way), is just terrible from a security standpoint. Security answers, while not passwords in themselves, are password-like material. You do not want someone looking over your shoulder to be able to read them just because you are typing them in.

Moving on to the less serious and more silly flaws, it seems like Mediterranean Bank have taken inspiration from JobsPlus (see the March issue) and put in a language selector with just English in it:

You can choose between English… and English.

What about that cookie policy at the bottom? They ask you to read their cookie policy, but there is no link. It looks like they just forgot to include it, because their main website (i.e. not the online banking part) has it:

Sport Malta: Insecure All The Way

Sport Malta, another website by Cyberspace Solutions Ltd. (a company well-known to this series – see “Lost in Cyberspace in February 2017“), was caught processing credit cards and login insecurely:

It seems like they now have HTTPS, but it doesn’t quite work because of mixed content:

Poor guys. They can’t seem to get one thing right.

EUROPA: Cobwebs and Such

Like Sport Malta, the website of the European Union has a bit of a mixed content issue that invalidates its HTTPS setup:

So like any good citizen would do, I decided to report the issue. In their contact form, you can specify what browser you’re using. Well, the browser versions in the list are ancient (I was using Chrome 58, and the latest one in their list is 40; likewise, although I was using Firefox 53, I could only choose up to Firefox 34. They even managed to misspell the Konqueror web browser.

Anyway, I reported the HTTPS problem, and also asked them nicely to update the browser versions on the contact page. When you write to them, they tell you that it can take about 3 days for them to get back to you.

And that’s exactly what happened. Today, I received a reply, which said:

“Would you kindly clarify if you are referring to some specific webpages?
You may contact us again in any of the 24 EU official languages via our webform which is available here:
https://europa.eu/european-union/contact/write-to-us_en
This clarification would enable us to forward your message to the relevant department of the European Commission for information purposes.”

So basically, having taken 3 days to reply, these guys didn’t even bother to browse their own website’s homepage. And contacting me back through a no-reply email address, they expect me to fill in that form again, just so that I can tell them what they could already have determined themselves, and then forward it to some department where it would then get lost in a bureaucratic hole.

No thanks.

Spotlancer: Insecure Login

Just more of the same from Spotlancer:

TicketArena: Insecure Credit Card & Login

Be careful where you buy your tickets from! Ticket Arena is served over insecure HTTP, yet it processes credit card info:

…and credentials:

“Your credit Card is 100% Safe and Secure,” they said. “We use the latest standards for security with Comodo,” they said.

Image credit: taken from here

Summary

As I’ve repeated ad nauseam over the past articles, you simply cannot process sensitive data (including passwords and credit card details) over an insecure channel. It doesn’t matter if you’re using an HTTPS iframe inside an insecure HTTP-served page. It’s simply not enough.

Websites also need to be tested better. Several websites that we have seen in this article have various problems of different severity levels that could have easily been caught earlier with a little more attention.

We’ll see more issues along these lines in Part 2. In the meantime, I would like to thank all those who sent reports for entries that were included in this article, and I welcome submissions for the June issue.

The Shameful Web of April 2017 (Part 2)

This article is a continuation of The Shameful Web of April 2017 (Part 1) and a part of the Sorry State of the Web series, in which I and various contributors show various blunders in supposedly professionally made websites in order to promote a better web.

The Hive: Mixed Content

At the time of writing this article, The Hive still has an issue with its HTTPS connectivity in that it is considered insecure because it’s using a resource that isn’t coming over HTTPS.

If you want your site to be served over HTTPS, then any images, scripts, and any other resources that it uses must also be served over HTTPS.

Malta Stock Exchange: Content Should Come First

Think of this: if I trade on the stock exchange, I would like to be able to see stock and share prices quickly.

So let’s go to the Malta Stock Exchange website:

(By the way, until a few days ago, there was a nice big photo of Fort St. Angelo instead of this Latest News section. It still gets in the way of finding the information you want, but it looked a lot more silly with a nice picture of the Fort, and I wish I had grabbed a screenshot back then.)

Now, we have to scroll halfway down the page:

Then, we need to expand “Regular Market”…

…and finally, we can see the prices we were looking for. Unfortunately, this is not very intuitive if you’re visiting the site for the first time, and it is a real pain in the ass to have to do this every time you want to check the share/stock prices. This is the information that people want to see most of the time, and it should be the first thing presented on the site, not buried somewhere far down the page.

There is nothing intrinsically ‘wrong’ with this in the sense of many other serious flaws that I usually write about in these articles. However, from a usability point of view, it really sucks.

MTA: Load Times and Insecure Login

The Malta Tourism Authority website is a terrible failure in terms of load time: it usually takes over 20 seconds to load.

As if that wasn’t enough, it offers an insecure login facility, which you’ll know to be a serious Data Protection violation if you’ve read previous articles in this series.

Olimpus Music: Insecure Login

Another offender in the category of insecure logins is Olimpus Music.

Basically, don’t use their online checkout facility until they use an encrypted connection.

Owner’s Best – A Real Mess

In “The Broken Web of March 2017 “, we covered some issues with the Owner’s Best website. I see they still haven’t fixed the “Error : Rows Not Set” bug that you can still see if you scroll to the bottom of the page, and neither did they fix the property detail links scrolling down to the contact form and confusing people as a result.

But there’s more. And worse.

For starters, they have a “Property TV” link in the navigation.

Sounds interesting! Let’s see what it does.

Boom. Dead link.

Okay. Let’s try searching for something from the homepage. Oops, I forgot to enter a budget – my bad.

But what the hell is this Fulcrum Alert? And what is wrong with the close buttom? That was a rhetorical question actually. Image 404s in console:

Oh dear. Okay. Let’s put in a budget then.

I put in 10,000. Hey, I’m broke. Obviously, nothing matched, and I got a sad message saying “None properties found”. Yes, you has very good England.

Now I put in a budget of 10 million. That means that I’m super rich, and I’m ready to spend anything up to 10 million on a single property. I got 3 results. Wow. These guys must deal in some real luxury stuff. In fact, two of the results are over budget.

The above search results are based on a 5-million-Euro budget. It gave me this one 4.3-million-Euro bungalow in Dingli. Why didn’t I get this when I searched with 10 million Euros as a budget? 4.3 million is less than 10 million, right?

Now I searched with a budget of 100,000 Euros. Not only do we get all these nice results that would have fitted quite nicely within the several-million-Euro budgets we pretended to have earlier, but we also get properties that are beyond budget, like the one at the top right and the one at the bottom right.

In summary, let’s just say that the search functionality at the Owner’s Best website works in mysterious ways, whether that is intentional or not.

Seasus – Insecure Login

Let’s welcome Seasus among the ranks of the websites that offer an insecure login form:

It is touching to see how much they care about their clients.

Something Different – Various Issues

Let’s take a look at Something Different, a website by Untangled Media (we’ve covered some more of their work in the past).

First, they accept credit card details over an insecure connection. That’s bad. Very bad.

Of course, the credit card iframe itself uses HTTPS, but it’s an HTTPS iframe embeded in an HTTP page, which is still insecure (and illegal – see “The Sorry State of the Web in 2016“), and there is no padlock icon necessary to provide the user with the trust guarantees s/he needs in order to give out his/her sensitive information on the web.

Login is also served insecurely, as you can see above.

We can see another instance of this, as well a lack of a lot of basic validation, in the user registration process:

As you can see above, you can fill in bogus data for most fields. There isn’t even a simple check on the structure of the email address.

In the second step of user registration, you choose a password. Insecurely, of course.

And that’s it! Congratulations for registering your invalid account insecurely!

In this section, we took a look at Something Different. Or rather, more of the same.

Untangled Media / Winit

In Untangled Media‘s Web Publishing section, you’ll find references to various sites including Something Different (see previous section) and something called winit.com.mt:

As they say in the summary, “Everybody loves winning things.” So do I! Let’s follow the link and check out the site.

Oops. Let’s try going to the root of the domain instead.

Win it indeed! It’s more like Untangled Media have lost it.

Summary

April has been a very busy month for spotting issues on websites. We’ve seen a lot of serious security flaws (e.g. insecure login and credit card processing) that have been covered extensively throughout this series.

However, we’ve also spotted a number of issues including high loading times (on one occasion due to the use of large images without thumbnails) and various usability problems. Always keep in mind that websites need to deliver information (whether to sell or otherwise), and thus, information needs to be delivered in a timely, clear, and intuitive manner.

Let’s hope that this article makes some people chuckle, and makes others do a better job of building websites!

Thanks for reading, and stay tuned for the May edition of The Sorry State of the Web! If you find any issue that you would like to include in this series, we would love to hear about it.

The Shameful Web of April 2017 (Part 1)

This article is part of the Sorry State of the Web series, which aims to raise awareness about common and fundamental issues in supposedly professional websites in order to push web developers and designers to raise the bar and deliver at least decent user experience. Since a lot of issues were noted in April 2017, the April issue will be split into two parts. I would like to thank those readers of Gigi Labs who contributed several of the entries in this article.

JobsPlus Receives e-Business Award

In the March 2017 issue of the Sorry State of the Web series, I had pointed out some really basic flaws in the JobsPlus website. That didn’t keep it from receiving an award for “best technology in the e-Government sector”.

Image credit: taken from here

Facebook’s Intrusive Login Prompt

If you view a video on Facebook and you aren’t logged in, you get this login prompt that practically takes up the entire window:

There’s a tiny “Not Now” link at the bottom that you can click. This doesn’t actually remove the prompt, but makes it smaller and moves it to the bottom:

Unfortunately, there seems to be no way to close it, and it still takes up a significant portion of the screen, especially if you are on a laptop. Not very nice!

Don’t Send Passwords via Email

I got this email from a web hosting company:

They never learn. You should never send passwords via email. There is absolutely no guarantee that emails are transmitted via secure channels, so you should assume that it is insecure by default. Instead, let the user choose a password on your website, when the content is served over HTTPS.

Links Should Actually Work

We all know how annoying broken links are, but RightBrain have found a way to match that frustration using links that actually work:

The social media icons at the bottom-right actually point to the website’s homepage, rather than to the social media portrayed by the icons.

It’s not enough that links aren’t broken. Make sure they actually go to the right place!

Microsoft .NET Core Documentation

If you want to learn a little C#‎ (whatever that is supposed to mean), you’re in luck. Microsoft has some tutorials about it:

Seriously though, the .NET Core documentation had some funny HTML entities running around in its sidebar, as you can see above. Very careless, but it looks like they’ve noticed, because this has now been fixed.

Another area where .NET Core documentation is still lacking is in printer-friendliness:

I have written in the past how making webpages printer-friendly is really easy yet very often overlooked. In fact, in the example above, you get around 10 pages of printed content, and the rest of 67 pages which are blank. I have raised this with Microsoft. It seems to be fixed in some browsers (e.g. Edge), and mitigated in Chrome. It’s no longer 67 pages, but at the time of writing this article, you still get quite a few blanks.

Finally, I noticed an issue with their HTTPS. As you can see, you don’t get the padlock indicating that the connection is properly encrypted:

Apparently it’s due to mixed content:

This only happened to me using Firefox on Linux though.

Dear Steve

High up on the list of biggest fails ever in this series is the MySmile dental clinic. There is this contact page with instructions from the dental clinic to a certain “Steve” (presumably from Just Some Coding Ltd, who developed the website) on improvements to make:

Although some pages and links seem to have been renamed, the old “Contact” page shown above is still online!

In any case, Steve didn’t really give a shit, because the map point that he was asked to change still points to the exact same place.

Language Confusion

Unlike JobsPlus, DR Gaming Technology‘s website is really multilingual. In fact, it supports so many languages that one of the language flags actually ended up sitting over the search box:

Despite the language selection, The Latest News box to the right includes many languages at the same time, including English, German and Spanish:

Timely CORS Issue

A friend noted that one of the fonts (Times New Roman) used on the login form of Timely (a web app that I love to hate) looked very out of place.

In fact, the developers never intended to use Times New Roman. They wanted a font called Avenir, but the browser defaulted to Times New Roman due to a CORS issue:

Timely fixed this issue within hours, but it wasn’t timely enough to keep me from taking screenshots.

Use Thumbnails

On some articles at Forbes, the images take ages to load. For instance:

What is more depressing than the job ads mentioned in the article? The fact that the image embedded in that page is actually a really large image:

It should be common knowledge now, in 2017, that you should embed a small version of the image (a thumbnail), and link to a larger version. This way, the image won’t impact page loading time, but the people who want to see the detail can opt to do so. This is especially important in galleries with lots of images.

To Be Continued…

More to follow in Part 2.

The Broken Web of March 2017

This article is the March 2017 issue of the monthly series that started with “The Sorry State of the Web in 2016“, showing all kinds of blunders on websites ranging from the silly to the insecure and illegal. While I spot a good number of these myself, many are brought to my attention by contributors, and I would like to thank them all.

JobsPlus

JobsPlus, which is the ridiculous new name for what used to be ETC, had launched a new website as part of their rebranding.

Despite that, their content still can’t handle apostrophes, not to mention basic formatting such as bulleted lists:

At least, it was built with internationalisation in mind. In fact, you can choose a language…

…with a single selection of English. That’s very useful indeed!

JobsPlus also have a service where they send a daily email with all new vacancies. Typically there are no new vacancies during weekends, but they still send an empty email. This has been going on for around 10 years if not more (formerly as ETC, of course).

Henley Malta

The Henley MBA might teach you many useful things, but building a basic website is definitely not one of these!

In fact, here are two basic things you should never have on your website:

  1. Broken images
  2. Misleading links that unexpectedly open your email application.

Just Some Coding

The only thing worse than a misleading link is something that looks like a link but is not, as you can see on Just Some Coding Ltd‘s website.

There are many ways to emphasise text on the web, but underlining is not a good one. Underlining is usually associated with a link, so when you see big green underlined text like “art” or “functional”, the typical user might try to click on it, only to realise that it’s not actually a link.

Maypole

Maypole is yet another website insecurely accepting credit card information:

Secured by Thawte indeed, but there’s no padlock. We’ve been through this several times before and I won’t bore you by repeating the details, but refer back to “The Sorry State of the Web in 2016” if you don’t understand why this is bad.

MFSA Registry

Let’s also welcome the MFSA Registry into the the realm of oft-repeated security issues, in this case that of having an untrusted SSL certificate:

As if that wasn’t enough, the same website also accepts login details over an insecure connection:

Bank Cross-Origin Issue

I recently caught some functionality in a local bank’s webite that was completely broken because of this cross-origin problem:

That’s not nice to have in a production environment.

Owner’s Best

Owner’s Best recently launched a new website, and not without issues. Until the time of writing this article, you can still see “Error: Rows Not Set” at the bottom of the page:

At one time, I was checking out a particular property, and they have these buttons on the side where you can see the floor plan and other details:

When clicking one of these buttons, however, I was taken to this contact form:

I was really confused by the fact that this contact form came up instead of the floor plan I was expecting, and the back button wasn’t working either.

What actually happened was this: the contact form is actually right below the property detail shown in the earlier screenshot, so properties that don’t have additional info will cause those buttons to link to an empty anchor, which has the side effect of bringing the contact form to the top of the page. The least they could have done is hide the buttons if the relevant detail is not there for the current property.

Roller Blades Malta

There’s one important lesson we can take away from Roller Blades Malta: don’t enter website content when you’re drunk.

Star Web Malta

Woe be upon thee, if thou hast an invalid WoeID:

Transport Malta

We all love Transport Malta, and for those who want to actually communicate their love, they have a contact form (note also the messed up action / social media list on the side):

Unfortunately, however, they don’t want to receive your love. The contact form goes to this page:

Transport Malta also joins the list of websites that accept login details on an insecure channel:

TVM

TVM‘s website, unlike that of JobsPlus, is in both English and Maltese. However, they forgot to translate “Sign In / Register” in the Maltese version:

WhatsOn

whatson.com.mt is another website accepting login details over an insecure channel:

Before you can login or register, though, you have to get past the cookie-acceptance text that comes up in front of the login/register form. This text tells you that you have to accept cookie usage to proceed, but the site has already set cookies regardless of your acceptance.

Xamarin University

When you sign up for Xamarin University, you have to consent to Microsoft to spam you.

While they say that you can unsubscribe at any time, I don’t want Microsoft sending me trash in the first place.

I also was unable to access some of the site’s functionality, because their JavaScript was broken:

Summary

We’ve seen quite a few bad things in this article, and I have even more lined up for the April issue. As always, feel free to bring to my attention any blunders you have experienced and feel should be included.

I have summarised various points to improve upon in earlier articles, and feel there would be little benefit by repeating them in this one.

However, I just want to remind everyone why I am writing these articles: it’s not to put shame on any particular website, but to learn about the bad things on the web today and avoid repeating them in the future. These experiences are painful to visitors of such websites, and embarrassing for the website developers and the companies commissioning them. Let’s all learn from our mistakes and create a better web for all!

Lost in Cyberspace in February 2017

This article continues the series started with “The Sorry State of the Web in 2016“, showing various careless and irresponsible blunders on live websites.

Virtu Ferries

A friend reported that the website for Virtu Ferries accepts credit card details over a non-HTTPS connection, specifically when you create a new booking. When I went in and checked, I confirmed this, but also found a number of other issues.

We can start off with a validation error that appears in an orange box in Italian, even though we are using the English version of the website:

Then, we can see how this website really does accept credit card details over an HTTP (as opposed to HTTPS) connection:

This is similar to Lifelong Learning (refer to “The Sorry State of the Web in 2016” for details on that case and why it is bad) in that it uses an HTTPS iframe within a website served over plain and unencrypted HTTP. I have since confirmed that this practice is actually illegal in Malta, as it violates the requirements of the Data Protection Act in terms of secure transmission of data.

Given that the website accepts credit card details over an insecure connection, you obviously wouldn’t expect it to do any better with login forms and passwords:

If you take long to complete the booking, your transaction times out, and you are asked to “Press Advance to Retry”:

 

But when you do actually press the Advance button, you get a nice big ASP .NET error:

This is really bad because not only is the website broken, but any errors are actually visible from outside the server, as you can see above. This exposes details about what the code is doing (from the stack trace), third party libraries in use (Transactium in this case), and .NET Framework and ASP .NET versions. This is a serious security problem because it gives potential attackers a lot of information that they can use to look for flaws in the web application or the underlying infrastructure.

Lost in Cyberspace

At the bottom of the Virtu Ferries website, you’ll find that it was developed by Cyberspace Solutions Ltd. By doing a quick Google search, we can find a lot of other websites they made that have serious problems, mainly related to insecure transmission of credentials over the internet.

For example, BHS, with its insecure login form:

Same thing for C. Camilleri & Sons Ltd.:

And for Sound Machine:

The Better Regulation Unit displays a big fancy padlock next to the link where you access a supposed “Protected Area”:

…but in reality, the WordPress login form that it leads you to is no more secure than the rest of the site (so much for better regulation):

Malta Dockers Union: same problem with an insecure login form:

Malta Yachting (the one with the .mt at the end) has a less serious and more embarrassing problem. If you actually click on the link that is supposed to take you back to the Cyberspace Solutions website, you find that they can’t even spell their company name right, AND they forgot the http:// part in their link, making it relative:

Another of Cyberspace Solutions’ websites is Research Trust Malta. From the Google search results of websites developed by Cyberspace, you could already see that it had been hacked, in fact:

 

Investing in research indeed. This has since been fixed, so perhaps they are investing in better web developers instead.

This is quite impressive: all this mess has come from a single web development company. It really is true that you can make a lot of money from low quality work, so I kind of understand now why most software companies I know about just love to cut corners.

ooii

ooii.com.mt, a website that sells tickets for local events, has the same problem of accepting login information over an insecure connection.

I haven’t been able to check whether they accept credit card information in the same way, since they’ve had no upcoming events for months.

Tallinja

Similar to many airlines, Malta Public Transport doesn’t like apostrophes in surnames when you apply for a tallinja card:

In fact, they are contesting the validity of the name I was born with, that is on all my official identification documents:

Summary

This article was focused mainly on websites by Cyberspace Solutions Ltd, not because I have anything against them but because they alone have created so many websites with serious security problems, some of which verge on being illegal.

You might make a lot of money by creating quick and dirty websites, but that will soon catch up with you in terms of:

  • Damage to your reputation, threatening the continuity of your business.
  • The cost of having to deal with support (e.g. when the blog you set up gets hacked).
  • Getting sued by customers when something serious happens to the website, or by their clients when someone leaks out their personal data.
  • Legal action from authorities due to non-compliance with data protection legislation.

The Weeping Web of January 2017 (Part 2)

This is a continuation of my previous article, “The Weeping Web of January 2017 (Part 1)“.  It describes more frustrating experiences with websites in 2017, a time when websites and web developers should have supposedly reached a certain level of maturity. Some of the entries here were contributed by other people, and others are from my own experiences.

EA Origin Store

When resetting your password on the EA Origin Store, the new password you choose has a maximum length validation. In this particular case, your password cannot be longer than 16 characters.

This is an incredibly stupid practice, for two reasons. First, we should be encouraging people to use longer passwords, because that makes them harder to brute force. Secondly, any system that is properly hashing its passwords (or, even better, using a hash algorithm plus work factor) will know that the result of a hashed password is a fixed length string (regardless of original input length), so this is not subject to any maximum column length in a database.

Untangled Media

If you scroll through the pictures of the team at Untangled Media, you’ll see that the last one is broken. Ironically, it seems that that person is responsible for content.

Needless to say, broken images give a feeling of neglect that is reminiscent of the mythical broken window from The Pragmatic Programmer.

Outlyer on Eventbrite

Another thing that makes sites (and any written content, for that matter) look unprofessional is typos. If you’re sending an SMS to a friend, a typo might be acceptable. If you’re organising an event to launch a product, three typos in the same sentence don’t give a very good impression.

BRND WGN

The first thing you see on the BRND WGN website is an animation taking up the whole screen, switching around frantically like it’s on drugs:

There are only three things you can do to learn more about what the site has to offer: play a video, click on (literally) a hamburger menu, or scroll down.

While I’m not sure this can be reasonably classified as mystery meat navigation, it does no favours to the visitor who has to take additional actions to navigate the site. While the hamburger icon looks like a cutesy joke, it looks silly on what is supposed to be a professional branding website, and hides the site’s navigation behind an additional layer of indirection.

This is a real pity, because if you scroll to the bottom, the site actually does have well laid out navigation links you can use to get around the site! These should really be the first thing a visitor sees; it makes no sense that they are hidden at the bottom of the page.

I also noticed that if you click on that hand in the bottom-right, you get this creepy overlay:

The only reasonable reaction to this is:

Image credit: taken from here.

Daphne Caruana Galizia

The controversial journalist and blogger who frequently clashes with public figures would probably have a bone to pick with her webmaster if she knew that the dashboard header for her WordPress site was visible for not-logged-in users while she was logged in last week:

While this won’t let anyone into the actual administrative facilities (because a login is still requested), there’s no denying that something went horribly wrong to make all this visible, including Daphne’s own username (not shown here for security reasons).

Identity Malta

The Identity Malta website has some real problems with its HTTPS configuration. In fact, Firefox is quick to complain:

This analysis from Chrome, sent in by a friend, shows why:

Ouch. It defeats the whole point of using SSL certificates if they are not trusted. But that’s not all. Running a security scan against the site reveals the following:

Not only is the certificate chain incomplete, but the scan identified a more serious vulnerability (obfuscated here). An institution dealing with identity should be a little more up to speed with modern security requirements than this.

Another (less important) issue is with the site’s rendering. As you load the page the first time or navigate from one page to another, you’ll notice something happening during the refresh, which is pretty much this:

There’s a list of items that gets rendered into a horizontally scrolling marquee-like section:

Unfortunately, this transformation is so slow that it is noticeable, making the page load look jerky at best.

Battle.net

I personally hate ‘security’ questions, because they’re insecure (see OWASP page, engadget summary of Google study, and Wired article). Nowadays, there’s the additional trend of making them mandatory for a password reset, so if you forget the answer (or intentionally provide a bogus one), you’re screwed and have to contact support.

If you don’t know the answer to the silly question, you can use a game’s activation code (haven’t tried that, might work) or contact support. Let’s see what happens when we choose the latter route.

Eventually you end up in a form where you have to fill in the details of your problem, and have to provide a government-issued photo ID (!). If you don’t do that, your ticket gets logged anyway, but ends up in a status of “Need Info”:

The idea is that you need to attach your photo ID to the ticket. However, when you click on the link, you are asked to login:

…and that doesn’t help when the problem was to login in the first place.

It’s really a pain to have to go through all this crap when it’s usually enough to just hit a “Reset Password” button that sends you an email with a time-limited reset link. Your email is something that only you (supposedly) have access to, so it identifies you. If someone else tried to reset your password, you just ignore the email, and your account is still fine. In case your email gets compromised, you typically can use a backup email address or two-factor authentication involving a mobile device to prove it’s really you.

Security questions are bullshit; they provide a weak link in the security chain and screw up user experience. Let’s get rid of them sooner rather than later.

Malta Health Department

It is a real pity when a government department’s website loses the trust supposedly provided by HTTPS just because it uses a few silly images that are delivered over HTTP.

The Economist

Remember how you could read any premium article on The Times of Malta by just going incognito in your browser (see “The Sorry State of the Web in 2016“)? Seems The Economist has the same problem.

Article limit…

…no article limit…

Remember, client-side validation is not enough!

On a Positive Note, Mystery Meat Navigation

I’m quite happy to see that mystery meat navigation (MMN) seems to be on its way out, no doubt due to the relatively recent trend of modern webites with simple and clear navigation. I haven’t been able to find any current examples of MMN in the first five pages of Google results when searching for local web design companies, so it’s clear that the local web design industry has made great strides compared to when I wrote the original MMN article.

Summary

This is the third article in which I’ve been pointing out problems in various websites, both local and international. After so many years of web development, designs might have become prettier but lots of websites are still struggling with fundamental issues that make them look amateurish, dysfunctional or even illegal.

Here are some tips to do things properly:

  • If you’re accepting sensitive data such as credit cards of passwords as input, you have to have fully-functional HTTPS.
  • Protect yourself against SQL injection by using parameterised queries or a proper ORM.
  • Test your website. Check various kinds of inputs, links, and images. Don’t waste people’s time or piss them off.
  • Use server-side validation as well as client-side validation.
  • Ensure you have proper backup mechanisms. Shit happens.

The Weeping Web of January 2017 (Part 1)

Not even a month has passed since I wrote “The Sorry State of the Web in 2016“, yet I already find myself having to follow up with new material detailing things that should be things of the past. Because in 2017, we really should know better. Some of the entries here were contributed by other people, and others are from my own experiences.

[Credit: image taken from here]

GitLab

You might have heard a few times how a company did something really stupid that messed up its business and reputation, like the Patreon Security Breach. Well, just today, GitLab went down with a bang:

How did that happen?

Ouch. But everyone makes mistakes, right? Let’s see the incident report (emphasis mine):

  1. “LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage
  2. Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.
  3. Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.
  4. The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost
  5. The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented […]
  6. Our backups to S3 apparently don’t work either: the bucket is empty
  7. We don’t have solid alerting/paging for when backups fails, we are seeing this in the dev host too now.

“So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place. => we’re now restoring a backup from 6 hours ago that worked”

This explains where the name “GitLab” came from: it is a lab run by gits. Honestly, what is the point of having backup procedures if they don’t work, and were never even tested? You might as well save the time spent on setting them up and instead use it for something more useful… like slapping yourself in the face.

Booking.com

Like its airline cousins, booking.com is a bit touchy when it comes to input data. In fact, if you’ve got something like a forward slash or quotes in your address, it will regurgitate some nice HTML entities in the relevant field:

Smart Destinations

The problems I’ve had with my European credit card not being accepted by American websites (usually due to some validation in the billing address) apparently aren’t limited to US airlines. Just yesterday, while trying to pay for a Go Los Angeles card, I got this:

Hoping to sort out the issue, I went to their contact form to get in touch. After taking the time to fill in the required fields:

…I found to my dismay that it doesn’t actually go anywhere:

So much for the response within 24 hours. The destinations may be smart, but the developers not so much.

Ryanair

I’ve been using Ryanair for a while, so I recently thought: why not register an account, to be able to check in faster? So I did that.

Last week, I opted to do my online check-in as a Logged In User™. When I logged in, I got this:

I found out from experience that you’re better off checking in the usual way (e.g. with email address and reservation number). At least it works.

Super Shuttle

Booking with Super Shuttle involves a number of steps, and between each one, you get a brief “loading”-style image:

As you would expect, it sits on top of an overlay that blurs the rest of the page and prevents interaction with it. Unfortunately, this has a bad habit of randomly getting stuck in this situation, forcing you to restart the whole process.

Another thing about Super Shuttle is that you can actually include a tip while you’re booking:

Wait. Why would anyone in his right state of mind want to tip the driver before he has been given a good service? What if the service actually sucks?

Malta VAT Department

If you go to VAT Online Services, and try to login at the “Assigned or Delegated Services” section…

…you see an error page that seems like it survived both World Wars.

Well, at least it’s secure!

To Be Continued…

Adding all the entries for January 2017 into this article would make it too long, so stay tuned for Part 2!

If you have any similar bad experiences with websites, send them in!

The Sorry State of the Web in 2016

When I republished my article “Bypassing a Login Form using SQL Injection“, it received a mixed reception. While some applauded the effort to raise awareness on bad coding practices leading to serious security vulnerabilities (which was the intent), others were shocked. Comments on the articles and on Reddit were basically variants of “That code sucks” (of course it sucks, that’s exactly what the article is trying to show) and “No one does these things any more”.

If you’ve had the luxury of believing that everybody writes proper code, then here are a few things (limited to my own personal experience) that I ran into during 2016, and in these first few days of 2017.

SQL Injection

I was filling in a form on the website of a local financial institution a few days ago, when I ran into this:

It was caused by the apostrophe in my surname which caused a syntax error in the SQL INSERT statement. The amateur who developed this website didn’t even bother to do basic validation, let alone parameterised queries which would also have safeguarded against SQL injection.

Airlines and Apostrophes

My experience with airlines is that they tend to go to the other extreme. In order to keep their websites safe, they simply ban apostrophes altogether. This is a pain in the ass when your surname actually has an apostrophe in it, and airlines stress the importance of entering your name and surname exactly as they show on your passport.

United Airlines, for instance, believe that the surname I was born with isn’t valid:

Virgin America, similarly, takes issue with my whole full name:

We’re in 2017. Even shitty Air Malta accepts apostrophes. All you need to do is use parameterised queries or a proper ORM. Using silly and generic error messages doesn’t help avoid customer frustration.

Plagiarism

Speaking of Air Malta, here’s a classic which they ripped off from some other US airline:

US Federal law? In Malta? Go home, Air Malta. You’re drunk.

Don’t Piss People Off

I’ve had a really terrible experience with booking domestic flights with US airlines. There is always some problem when it comes to paying online with a VISA.

United Airlines, for instance, only accepts payments from a specific set of countries. Malta is not on that list, and there is no “Other” option:

Delta gives a variety of billing-address-related errors depending on what you enter.

Southwest provides fields to cater for payments coming from outside the US:

And yet, you need to provide a US State, Zip Code and Billing Phone Number.

The worst offender, though, is Virgin America. While the overall experience of their AngularJS website is quite pleasant, paying online is a hair-ripping experience. If you choose a country where the State field does not apply (such as Malta, or the UK), a validation error fires in JavaScript (it doesn’t appear in the UI) and does not let you proceed:

It’s almost like the developers of this website didn’t quite test their form. Because developers normally do test their code, right? Right?

Well, when I reported the error to Virgin, and offered to provide a screenshot and steps to reproduce, the support representative gave me this canned bullshit:

“So sorry for the web error. Can recommend using one of our compatible browsers chrome or safari. Clearing your cookies and cache.  If no resolve please give reservations a ring [redacted] or international [redacted] you’ll hear a beep then silence while it transfers you to an available agent.  Thanks for reaching out.~”

I had to escalate the issue just so that I could send in the screenshot to forward to their IT department. Similarly, I was advised to complete the booking over the phone.

Over a month later, the issue is still there. It’s no wonder they want people to book via telephone. Aside from the international call rate, they charge a whooping $20 for a sales rep to book you over the phone.

Use SSL for Credit Card And Personal Details

In July 2016, I wanted to book a course from the local Lifelong Learning unit. I found that they were accepting credit card details via insecure HTTP. Ironically, free courses (not needing a credit card) could be booked over an HTTPS channel. When I told them about this, the response excuse was:

“This is the system any Maltese Government Department have been using for the past years.”

It is NOT okay (and it’s probably illegal) to transmit personal information, let alone credit card details, over an insecure channel. That information can be intercepted by unauthorised parties and leaked for the world to see, as has happened many times before thanks to large companies that didn’t take this stuff seriously.

To make matters worse, Lifelong Learning don’t accept cheques by post, so if you’re not comfortable booking online, you have to go medieval and bring yourself to their department to give them a cheque in person.

I couldn’t verify if this problem persists today, as the booking form was completely broken when I tried filling it a few days ago – I couldn’t even get to the payment screen.

Update 8th January 2017: I have now been able to reproduce this issue. The following screenshots are proof, using the Photo Editing course as an example. I nudged the form a little to the right so that it doesn’t get covered by the security popup.

Update 9th January 2017: Someone pointed out that the credit card form is actually an iframe served over HTTPS. That’s a little better, but:

  • From a security standpoint, it’s still not secure.
  • From a user experience perspective, a user has no way of knowing whether the page is secure, because the iframe’s URL is hidden and the browser does not show a padlock.
  • The other personal details (e.g. address, telephone, etc) are still transmitted unencrypted.

Do Server Side Validation

When Times of Malta launched their fancy new CMS-powered website a few years ago, they were the object of much derision. Many “premium” articles which were behind a paywall could be accessed simply by turning off JavaScript.

Nowadays, you can still access premium articles simply by opening an incognito window in your browser.

Let’s take a simple example. Here’s a letter I wrote to The Times a few years ago, which is protected by the paywall:


Back in 2014, I used to be able to access this article simply by opening it in an Incognito window. Let’s see if that still works in 2017:

Whoops, that’s the full text of the article, without paying anything!

Like those critics of my SQL injection article, you’d think that people today know that client-side validation is not enough, and that it is easy to bypass, and that its role is merely to provide better user experience and reduce unnecessary roundtrips to the server. The real validation still needs to be server-side.

Conclusion

Many people think we’re living in a golden age of technology. Web technology in particular is progressing at a breathtaking pace, and we have many more tools nowadays than we could possibly cope with.

And yet, we’re actually living in an age of terrible coding practices and ghastly user experience. With all that we’ve learned in over two decades of web development, we keep making the same silly mistakes over and over again.

I hope that those who bashed my SQL injection article will excuse me if I keep on writing beginner-level articles to raise awareness.