TenthOfMarch Reviews Advertlets From The Inside (Part One)

I did mentioned that I will be reviewing Advertlets after I am done with Nuffnang. Doing so must have given Advertlets some advantage over Nuffnang. There have been boastful moments where Advertlets proudly show off the ‘front-end’ of their website — state-of-the-art poll, Web 2.0, demographic etc. With all that in mind, I approached the review with high expectations of what lie behind the login page.

Let’s start off by registering an account. As usual, the interface looks nice with all the rounded edges. The only thing that looks “old” is the “Register” button and the dropdownlist. However, what bugs me the most is the way the form is formatted. In Java we call it the “FlowLayout“. What it does is you put an element in the form on the right of the previous element. You repeat the step until there is no space left, then you start with a new line. That’s exactly how they have formatted this form. This is a very lazy way to format the form. Even the length of the textbox for the “Blog Address” is too short.

Registration Form Layout Not Organized

TenthOfMarch recommends:
Rearrange this form to look more organized. The “Password” and “Verify password” textbox should be side-by-side or one on top of the other. The textbox for “Blog Address” must be at least twice longer. Change the “Register” button and maybe the two dropdownlist to look more “Web 2.0”.


After completing the form, I clicked on the “Register” button. To my surprise, I was greeted by nothing but a plain popup that says, “Registration Successful“. Once again, this is very dull, and may I add, LAZY! You could at least redirect me to a proper page with the appropriate messages.

Registration Successful Message

So I checked my mailbox for a confirmation e-mail but there were no new mails. I checked again for the next 5 minutes, but still no new mail. I had a very bad feeling in my stomach. I tried to login with the username and password that I created a while ago, and I was logged in. I was SHOCKED! Few weeks back they said they had a DDOS attack. And now they have an open registration without a verification system? Aren’t they afraid? Anyone with some basic knowledge of HTML can create a script to fill up their database with junk accounts using fake e-mail addresses in 5 minutes.

TenthOfMarch recommends:
Create a better looking confirmation page. A javascript popup is a bit too lazy, don’t you think? Add a layer of registration verification where users have to reply or click on an activation link before their account is created.


I wasn’t satisfied with their registration process. In fact, I had a feeling that there are more things to be discovered in this area. Therefore, I did some further testing. This is when I registered a second account with them. I inserted the same details as the first account (ie. same username, e-mail, blog address, name etc). Again, I was greeted with a dull looking error page that should only be seen by the programmer, and NEVER the end users. Honestly, pages such as these are amateurish. It’s like a shoddy work of an undergrad.

[If there’s any IT undergrad reading this and is offended, I’m sorry. I know most of you can do better than this.]

Duplicate Error

Their system rejected my registration because I inserted the same username. Of course! So I change the username (other details remain the same), and tried registering again. To my surprise, it was accepted. Some of you may ask, “So what?” For those who have some knowledge in IT, you’ll know that it is a good practice to refrain a user from registering two seperate accounts using the same e-mail address and blog URL. This is yet another shoddy work with no effort put into designing a proper system at all. I have just done the same test on Nuffnang’s system and they work as I had suggested.

Invalid Username Or Password Popup

TenthOfMarch recommends:
Change the e-mail and blog URL fields to accept only unique values. There should not be duplicate values for those two fields. Create a proper error page with information and links for the user to retry the registration process if their attempt fails.


Confident that I would find more shoddy works, I tested how their system would react to invalid username and password combinations. Sure enough, I was only greeted with a javascript popup that says, “Invalid Username / Wrong Password“. And after clicking the “OK” button, I was staring at a blank white screen. What the …? You should have redirected me to a page where I can retry to login process. And don’t ask me to use the damn “Back” button. The proper way is to display a page for the user to try again, not a damn blank screen.

TenthOfMarch recommends:
Create a proper error page with information and links for user to retry their login process.


BUG Of The Century

I actually found out this bug right before I published this post. It has to be the bug of the century. I wonder if the programmers behind Advertlets are trying to fool the users or themselves. I tested this twice (I have 4 accounts with Advertlets now), therefore I am very certain it’s a bug.

In the registration form, we are required to insert a password into the “Password” textbox. Then, we need to verify the password by typing it again into the “Verify Password” textbox. What ‘every-normal-system‘ would do is to make sure BOTH the passwords matches before the registration process can be completed. If the user mistype the passwords, an error message must be alerted requesting the user to retype the password.

However, I tried registering an account by inserting passwords that doesn’t match (hoping that the system will reject my registration). To my horror, ADVERTLETS’ SYSTEM ACCEPTED IT! 😆 OMG……I can’t believe this.

TenthOfMarch recommends:
You know what to do.


After successfully logging into their system, I immediately found more amateur works. The basic principle of a website is to show links for a user to login or register before they login into the system. However, after the user has logged in, those two links must be removed and replaced with a logout link. I remember back then, some of my weaker coursemates will make mistakes like these. However, to catch a company with experienced programmers making mistakes like this — priceless.

Parts Of The Page That Should Be Removed

TenthOfMarch recommends:
After a user has logged into the system, remove those links circled in the picture above.


I’m finally logged into their system. So far, my experience using their system has been a lousy one. I don’t believe any company should launch their website if they are not ready. In this case, I believe Advertlets’ website lacks the most basic design and functionality any websites should have. It doesn’t matter if they are still in Beta. These are the basic needs for a website. It’s like going to work without brushing your teeth and combing your hair. You may still produce good results, but you stink and look like crap.

I’ll continue with the part two of my review soon. Without revealing any details of my next review, I suggest to those who have an account with Advertlets to change their password ASAP. You must heed this advice especially if you use the same password for all your accounts (eg. e-mail, Friendster, online banking etc.). I’m not trying to create chaos but after seeing all these shoddy amateurish work, I have reasons to believe there is a TINY / MICRO possibility your password may be vulnerable. I’ll explain later. It’s better to be safe than sorry. Until then…

33 thoughts on “TenthOfMarch Reviews Advertlets From The Inside (Part One)

  1. Undertypo says:

    I must say one word, PAWNED.

    Another word is, LUCKY. Because I haven’t register at Advertlets yet. I am a person who make every password same in every forum or registration thing. This is certainly a big error in their system.

    So which password that they actually recognize? The first one or the wrong one?

    Your TINY/MICRO is a bit HUGE/MACRO. LoL

  2. aw says:

    Yeah, PWNED big time!!

    What’s the1 use of fancy Web 2.0 if basic setup is so shoddy. What other bugs are there that 10/3 didn’t find yet?

  3. TenthOfMarch says:

    It’s the first one (ie. “Password” textbox). The second one (Verify Password) is just for “decoration purposes”. Unless they checked for ‘password length’, I’m not sure. I inserted values like (Password = abc || Verify Password = 123) and it was accepted, ‘abc’ being the password.

    Guys, maybe I over-emphasized the bug a bit too much 😉 The ‘bug’ itself doesn’t cause any harm or threat to the user’s information (eg. passwords, etc) that is kept in their database.

    However, it was their amateur and unprofessional ways in programming that raised doubts in me that MAYBE….I mean…MAYBE they could have stored the user’s passwords in a way that is vulnerable.

    I can’t see what they are doing at the back there. But from what I can see (the mistakes they make, the way they format the forms…including one that I haven’t exposed, and the design of the database that I can see) … I can say that there IS A POSSIBILITYTINY / MICRO possibility that the user’s passwords may be vulnerable). Therefore, I advice to change it to something apart from the one that you would normally use, just to be safe.

  4. Hin Ching says:

    Not affliated in any way with Advertlets. I just need to re-emphasize the fact that Advertlets is still in its beta cycle. One of the reason of it being a public beta is so that it can be tested in a real environment. Various web applications have different stages of beta as well. For instance, Gmail’s still beta but is pretty much stable if you know what I mean. Adverlets is still at a very early stage of its beta cycle and is actively being updated every few weeks or so if you noticed.

    If you can actually see what they are doing back there. Then Advertlets will really be in hot water. Well, everyone will be in hot water. Your assumptions do stand with the reasons that you gave. But as a programmer yourself, you know better than most of the passwords should be all encrypted in a database instead on a text file on the programmer’s desktop.

    I’m convinced the issues that you have discussed are indeed valid and will prompt Advertlets to fix it quickly. On another note, if I was in your shoes, I would inform Advertlets next time when you are creating accounts to ‘test’ their ‘bugs’. It’s just manners, I suppose.

  5. Bat says:

    Wow..too many holes I think..To Advertlets, who is your programmer? Still Arsyan? As I know, before the system is online/published, the testing phase should be done, right? This seems like they didn’t go through the process..

    Just my opinion by the way, no offense, but I do think that this duel(nuffnang and advertlets) is good to us, since they will get better and better from so on..Like the duel between MAS and AirAsia..hehe..

  6. Firdauz says:

    Names Firdauz, hello everyone.

    I understand the frustration;

    I understand your BUG of The Century (altho my personal opinion would be your CENTURY is just too melodramatic, we just launched advertlets exactly a month ago)

    And yes, i also understand the very bad feeling in your stomach, your horror, you’re shocked by so many things that don’t satisfy you.

    Because i understand all these, im fixing some of the issues written here. Not because i’d like to satisfy you personally, it’s because i (me as one of the advertlets main developers) know the priority;

    “We satisfy the users, and if it’s a critical issue, we should be putting aside all the arithmetic, all the codes, all the fun and the intelligent programming of teaching advertlets to dance and to know who to dance with, and focus on the bugs”

    “and focus on the human.”

    “and satisfy their frustrations the best we could”

    Before i go back to what i call intelligent programming (of teaching advertlets to dance, to know traffic, to know geolocation, to communicate cross-domain when we have javascript same-domain policy, to be dynamically resizable, to serve and to maintain the performance of serving all the mySQL queries, to smartly show ads, and hopefully, to understand human beings better), personally (and im not voicing this on behalf of advertlets team), i’d like to know one thing;

    What rights do you have to be calling people amateur and lazy?

  7. suicidal says:

    One can argue about “rights” till the cows come home and enter the slaughtering the machine. But the REASONS tenthofmarch has for calling people amateur and lazy are pretty darn obvious isn’t it? Looks like someone needs some comprehension classes and a pair of glasses.

    to tenthofmarch: dude I haven’t seen a better review in ages. mine looks like a baby’s doodling. probably worse. haha kudos!!

  8. ZeMMs says:

    Freedom of speech… that’s his rights.. 😛

    After all, looking at all the things he discovered, I believe he is exactly in the right position to be calling people amateur and lazy… it’s too obvious buddy…

  9. rzmie says:

    Hin Ching,

    From my opinion, it is not early beta stage. Its earlier than beta stage. Beta stage means that your system is almost finish and the users use the system to find bugs. But displaying errors and unfinished pages to the users are not professional and more experienced programmers and hackers can guess what the database content look like. At least for the duplicate id, redirect the users back to the registration page and display error message there like “The user ID is already exist. Our recommendations are : “.

    Imagine if the system’s engine like that, what actually happened in the database, we will asked. Maybe our password is not encrypted and stored as clear text in the table? How about database protection? Could anyone access their database?

    The system liked that cannot be released as Beta to the public. Or if they really want to classify the page as Beta, don’t open the registration. Invite people. And lastly, don’t each company suppose to has a testing team? People that most programmers love and hate.

  10. dm says:

    hey… tenthofMarch, i totally agreed with wat u said, and cant really find more suitable and direct words to replace it: amateur and lazy!

    Its really a BIG shock to me what Advertlets is doing! i dont think i will ever submit this kinda uncompleted project assignment (juz an unlucky assuming, if this is my project) to my school, coz i know it will be funny if i can get a BIG PASS from any lecturers!!

    Good review, welldone! tenthofmarch!

  11. Unknown says:


    firstly i think you’ve missed out when friendster.com used to be beta, or gmail used to be beta and a whole lot of other websites which were open for registration to the public but yet labeled themselves as “beta”.

    but i do get the point you are trying to make.. basically advertlets should have done a closed beta test with a select number of publishers and see how it goes before opening it’s doors to the public, while leaving at least the blog or a few other pages of the site public to allow awareness to grow.

  12. Gan says:

    Hi TenthOfMarch,

    Good review, you have the traits of a good tester.

    FYI, I was involve in developing an IT system which had all these simple bugs which should NOT even be there but should have been a given basic standard.

    Anyway, me being very much like you (a serious tester) gave my 2 cents worth during the acceptance test but was brush aside by my project sponsor as purely aesthetic and non killer items … so deferrable, and, subsequently forgotten as I got so tired and surrended to the powers to be.

    I think quality is no longer a way of life which is being compromise by speed and also likely further compounded by the lack of quality workforce which is bulk produce by the academic assembly line.

    sigh …. sigh ….

  13. TenthOfMarch says:

    @To Everyone
    Sorry guys, for not replying to your comments. I have a few things to iron out first. I’ll reply to each of your comments individually right after I’m done with a few things. I’m also getting ready for my next post. I’ll need to check it properly before publishing it. It should be ready by TONIGHT.

    Some of you may know ‘what is happening’ to me. I thank you for your supports and advices. Many thanks to Jeff Ooi for posting this up.

  14. Hanief says:

    Use Drupal if you can’t build a website. I’m a newbie I don’t know HTML not even the CSS and the PHP crap. I don’t care about local advertising method crap as well.

    We already have the Google Adsense. Sorry to say. Gwahaha..

    If you really care about Advertlets (the name is hard to remember, tha lawd!) just email them. Or talk to Arsyan at http://www.arsyan.com

    p/s:- Its okay to me even if the US dollar will be at 3.2 per RM1.00

  15. MJ says:

    Beta or pre-Beta, such basics like double checking the password1 & password2 to the exact character. I thought even college and University students for Web Programming are being taught this? If not, there are many books and internet resources that provide guides on security and user-friendliness.

    Did you try testing using symbols?

    1 thing to say – there can certainly be a lot of improvements for Advertlets 🙂

  16. Boss Lepton says:

    I still remembered when me n stewie did tuitionhamster. We cannot stress enough the importance of security. But then again that time we were young and naive, and of course it’s the 1st time we started a website so that’s a bit lousy 😀 but it works hahaha

  17. Dave Lu says:

    Nothings perfect and thats a fact however firdaus.. cool it man. I mean this is the point of it being in beta rite? i mean this guy here just did advertlets a big favour to debug the thing. FOC. so, do you thing, amend the site and everyones happy.

    Advertlets is really cool, one of the first in malaysia. Good thing coz hopefully it will really grow the blogosphere locally, but contextual ads are hardly a new thing. Well… apart from Malaysia.

    TenofMarch you did good. I’m not one to sit on the fence. I’m on your side. heh.

  18. Pingback: TenthOfMarch Reviews Advertlets From The Inside (Part Two) at TenthOfMarch.com

  19. TenthOfMarch says:

    Sorry for the late reply guys.

    @Hin Ching
    I’m quoting from here:

    “In software and Web development, a beta test is the second phase of testing in which a sampling of the intended audience tries the product out. (Beta is the second letter of the Greek alphabet.) Originally, the term alpha test meant the first phase of testing in a software development process. The first phase includes unit testing, component testing, and system testing. Beta testing can be considered “pre-release testing. …”

    The bugs that I found should have been fixed in the ‘alpha test’ stage.

    I agree that “most of the passwords should be all encrypted in a database instead on a text file on the programmer’s desktop”. However, my concern was, “Is it?”.

    I will inform them to remove those accounts that I have created for testing purposes. Thanks.

    True. If both of them compete healthily, the winners are always the users.

    As I mentioned in this comment, it wasn’t “The bug of the century” that raised concerns. It was the simple bugs/mistakes that you guys made and the lack of effort in designing a proper database that raised doubts.

    I don’t see you mention “user’s privacy” in your priority list.

    Maybe your reviews aren’t as bad as you said. If you drop me a line, I would love to check it out too.

    Thanks for helping me answer the question.

    That was exactly my concern.

    And I guess I’m that person “that most programmers love and hate”. But in this case, “hate” would be more appropriate.


    I agree with that “should have done a closed beta (alpha) test with a select number of publishers and see how it goes before opening it’s doors to the public”.

    I guess some people don’t understand the importance of ironing out all bugs, no matter how big or small. It doesn’t matter if all major bugs are fixed, if one small bug is found the impression will be, “there must be some major bugs in here”.

    True. Some companies concentrate more on delivering on time, than on quality. They must find a ‘balance’ between the two. Things won’t work out if either one lacks attention.

    Based on their responses so far, I doubt that will happen.

    Thanks. Hey, you haven’t answered my previous question. 😉

    I have never heard of Drupal before. I used Dreamweaver in the past.

    In their “Your Details” page, I tried updating the “Gender” to “PON####DAN”. After refreshing the page, it shows “PON###”. That’s all I tested on symbols. Maybe the # sign is a comment? I’m not sure.

    @Boss Lepton
    tuitionhamster was built by you guys? I have been to that website before. Wow, didn’t know I ‘met’ you before. LOL.

    kīlauea said he/she has “done some basic SQL injection test this morning, and it seems to be quite secured”.

    @Dave Lu
    Thanks. I guess that means you will be labeled as ‘biased’ from now on. LOL.

  20. Firdauz says:

    Chill it people.

    What’s assumed as laziness and amateurish was in fact; our best decision at that particular time.

    We’ve been improving a lot ever since.

    And a lot more improvements coming, who ever said we’re lazy and just a bunch of amateurs? It was just an assumption.

    Share these shoes with me, I’m wearing 7 and a half.

    Mutual understanding people. Let’s have it.

    Mutual respect people. Let’s not degrade ourselves.

  21. TenthOfMarch says:

    “What’s assumed as laziness and amateurish was in fact; our best decision at that particular time.”

    I don’t like that explanation. It sounds wrong, but I don’t want to elaborate why.

  22. mooiness says:

    TenthofMarch: I shall attempt to say why Firdauz’s comment *feels* wrong.

    No web professional would let their baby out the door without thorough testing. It is expected that bugs will be found and usability issues to be addressed in the initial phases.

    But you don’t let loose an application which fails one of the most basic principles, ie. password security.

    You best decision at the time should not have been this. To me, it sounded like you guys rushed it out the door so that you got something to show.

    No – your best decision at the time should have been to put yourselves in the shoes of a user and whack the system as hard as you can.

    I have no doubt that the backend engine is impressive, but you mustn’t forget that it is the frontend that the users see and use.

    If you are overworked (wearing 7 and a half shoes) then tell your boss. That is not an excuse for sloppy coding.

  23. Pingback: Advertlets’ Explanation To Why They Were “Lazy” And “Amateurish” at TenthOfMarch.com

  24. seraphangel says:

    man that was a long list of comments, very interesting, and TenthOfMarch you make a very good a thorough QA person, but perhaps try not to be so strong with your comments, as apparently Firdaus feels offended judging from his reaction, but hey Firdaus, accept the fact that it was shoddy work overall on the front end, maybe you all focused too much on the backend system that this simple matter was overlooked, but still it shouldn’t have happened, it really drops the users impression and trust on not just the website but the company as well. Keep up the good work at improving the website, I’m sure both nuffnang and advertlets will have a lot more competition in the future.

  25. Pingback: More Bugs Found In Advertlets’ System at TenthOfMarch.com

  26. Pingback: vMoody.net - Undying Lust » Blog Archive » A Lament

  27. Pingback: | ShaunChng.com - Blog | » Negative side of Advertlets - the bad and the horrible

Leave a Reply

Your email address will not be published. Required fields are marked *