Welcome back to the Sorry State of the Web series! This is a collection of bad stuff found on so-called professional websites, contributed by both myself and others who have submitted entries. It is sad to see so many fundamental mistakes being repeated over and over again, and by calling them out, we hope to promote better quality work in web development, and as a result, a better experience on the web.
Unfortunately, this month we are once again about to see a lot of security-related violations, including insecure login and credit card processing. We will also see a lot of negligence. Thus, without further ado…
Deal: Insecure Login
deal.com.mt, like many other websites we have mentioned and will mention, support registration and login over insecure HTTP:
You will also notice the strangely superimposed text saying “Please log into this app” below the Facebook button. Certainly not an artistic style I would want to imitate.
Careers in Finance: A Different Kind of Education
Careers in Finance, a pathetically designed website that seems to be part of MFSA, has this Warnings page.
The warnings page presumably takes you to a list of unrecognised training institutions. So when you follow the link, you get…
…this. Aside from the error page, you’ll notice a hilarious misspelling of the word “Universities” in the filename. Whoever named the file was evidently alienated by more… interesting stuff at the time.
Microsoft: Runtime Error Page
I noticed a similar runtime error when accessing a webpage on Microsoft’s own website. They could have handled this better.
The Malta Independent: Sneaky Advertising
The Malta Independent had this really invasive ad covering the whole site as you load it:
If you click the link at the top-right of the ad that says “Skip and Visit Site”, you are actually taken to the website that the ad is promoting, rather than just closing the ad and letting you read the online newspaper. What a sneaky way of raising advertising revenue!
If you wanted to just close the ad, you actually had to click the “X” at the top left, which is very easy to miss.
This shameful advertising mechanism seems to be gone now, thankfully.
Mediterranean Bank: Out With the Old, In With The Crap
Last weekend, Mediterranean Bank launched their shiny new internet banking platform, after a whole weekend of planned downtime for the changeover.
Existing users have to undergo a migration process, and this is fraught with flaws.
The first thing you see in this new system is a field requesting a “Client number”. The problem is, nobody has any idea what this client number is. In the old system, we used to use a username and various other fields, but no client number. And sure enough, if you enter something invalid, an error appears, telling you to enter your old username if you are using the new platform for the first time.
That would have been useful to have before you try to login.
After that, you have to enter your surname. So they made a whole webpage just for you to enter your surname (yes, full page reload).
To migrate your account, you have to enter all the stuff you used to have in the old system (understandably, because you have to be authenticated). That includes a secret question:
Now, using secret questions is already arguably very stupid in the first place. But not obfuscating the answer (which the old system did properly, by the way), is just terrible from a security standpoint. Security answers, while not passwords in themselves, are password-like material. You do not want someone looking over your shoulder to be able to read them just because you are typing them in.
Moving on to the less serious and more silly flaws, it seems like Mediterranean Bank have taken inspiration from JobsPlus (see the March issue) and put in a language selector with just English in it:
You can choose between English… and English.
Sport Malta: Insecure All The Way
It seems like they now have HTTPS, but it doesn’t quite work because of mixed content:
Poor guys. They can’t seem to get one thing right.
EUROPA: Cobwebs and Such
Like Sport Malta, the website of the European Union has a bit of a mixed content issue that invalidates its HTTPS setup:
So like any good citizen would do, I decided to report the issue. In their contact form, you can specify what browser you’re using. Well, the browser versions in the list are ancient (I was using Chrome 58, and the latest one in their list is 40; likewise, although I was using Firefox 53, I could only choose up to Firefox 34. They even managed to misspell the Konqueror web browser.
Anyway, I reported the HTTPS problem, and also asked them nicely to update the browser versions on the contact page. When you write to them, they tell you that it can take about 3 days for them to get back to you.
And that’s exactly what happened. Today, I received a reply, which said:
“Would you kindly clarify if you are referring to some specific webpages?
You may contact us again in any of the 24 EU official languages via our webform which is available here:
This clarification would enable us to forward your message to the relevant department of the European Commission for information purposes.”
So basically, having taken 3 days to reply, these guys didn’t even bother to browse their own website’s homepage. And contacting me back through a no-reply email address, they expect me to fill in that form again, just so that I can tell them what they could already have determined themselves, and then forward it to some department where it would then get lost in a bureaucratic hole.
Spotlancer: Insecure Login
Just more of the same from Spotlancer:
TicketArena: Insecure Credit Card & Login
Be careful where you buy your tickets from! Ticket Arena is served over insecure HTTP, yet it processes credit card info:
“Your credit Card is 100% Safe and Secure,” they said. “We use the latest standards for security with Comodo,” they said.
Image credit: taken from here
As I’ve repeated ad nauseam over the past articles, you simply cannot process sensitive data (including passwords and credit card details) over an insecure channel. It doesn’t matter if you’re using an HTTPS iframe inside an insecure HTTP-served page. It’s simply not enough.
Websites also need to be tested better. Several websites that we have seen in this article have various problems of different severity levels that could have easily been caught earlier with a little more attention.
We’ll see more issues along these lines in Part 2. In the meantime, I would like to thank all those who sent reports for entries that were included in this article, and I welcome submissions for the June issue.