More Bugs Found In Advertlets’ System

This is getting ridiculous. After all the suggestions and bugs I found in the Part One and Part Two of my reviews, and a short follow up here, the Advertlets’ team don’t seem to have learned anything at all! I wonder if they ever will.

So, they have done some changes to their system AFTER reading my reviews. To summarize the whole story, those bugs I found shouldn’t even be there in the first place. Proper testing of the system would have ensured those bugs were found and fixed BEFORE their system was launched. Having bugs like that after over 300 people have registered an account with them could be very dangerous. That proves that they did not conduct a proper test on their system before it was launched.

I don’t believe that they have learned their lesson because if they did, I wouldn’t have found another bug in their system. This is not some MAJOR bug but it does prove that they did not conduct a proper test before releasing their new updates.

They provided a new option in their publisher’s admin area called, “Change Your Password“. As the name suggests, you may use it to change your password (which I highly recommend you to do). The funny thing is that they enforce a minimum 6 characters password during registration but do not enforce the same rule when a user changes their password. I tried changing my 10 characters password to a 1 character password, and it was accepted.

*sigh* I am your user, not your beta alpha unit tester, ok?

Advertlets’ Explanation To Why They Were “Lazy” And “Amateurish”

In the first part of my review on Advertlets, I used the words lazy, amateurish and shoddy work to describe the design, bugs and quality of work that I found in their system. I was challenged to it but it was answered by these comments (here, here and here).

I received an explanation from Firdauz (from Advertlets) which was supposed to ‘cover-up’ all the laziness, amateurish, shoddy work and maybe even possible password vulnerability that I found.

What’s assumed as laziness and amateurish was in fact; our best decision at that particular time.

Even up till this point in time, they have never stated that the users’ passwords in their system IS ENCRYPTED. They mentioned how their system was capable of warding off “SQL injection, brute force attacks, URL guessing, and social engineering” and that their system is “indeed secure, and we can vouch for the protection of your data and password“.

However, the question to be answered is, “Are the users’ passwords encrypted?” It doesn’t matter if their system is 100% “unhackable” from the outside, encrypting the users’ passwords are considered the fundamental practice in developing a system. The users’ passwords should NEVER be stored in plain text no matter how secure a system may seem to be — that’s the standard principle.

mooiness gave his point of view:

But you don’t let loose an application which fails one of the most basic principles, ie. password security.

You(r) best decision at the time should not have been this. To me, it sounded like you guys rushed it out the door so that you got something to show.

No – your best decision at the time should have been to put yourselves in the shoes of a user and whack the system as hard as you can.

One point that I missed out in my review is that they neglected one of the basic password security feature — setting a minimum password length. According to this and this, the minimum length of a password must be at least 6 or 7 characters to be considered as standard. Shorter passwords are considered WEAK and are more vulnerable.

However, I have tested and their system allows passwords as short as ONE character. I have one account’s password which is “a” and another account’s password which is “abc“. Let’s hope they did not neglect the most important security feature — encrypting the passwords.

If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.
(Weinberg’s Second Law)

What do you think?

TenthOfMarch Reviews Advertlets From The Inside (Part Two)

(WARNING: This is a lengthy review) — Final Edition

This is the continuation of the first part of my review on Advertlets.

Right after I logged in, I was greeted by the screen below. Bare in mind that I placed high expectations on them after all the hype over “Web 2.0″, gradients and friendliness they said they provided. However, the screen below is just an eye sore.

Ugly looking statistics in Your Stats page

I think that “Imp” means impression, right? Why not write the full word? Since there is enough space anyway.

**********

Next, why after I am logged in, the first page that I see is the “Your Stats” page, and not the “Dashboard“? I don’t have a problem with it, just that in your navigation bar on the left, the “Dashboard” comes first, then only “Your Stats” and the rest. Nothing major, and definitely not a bug.

TenthOfMarch recommends:
I think either displaying the “Dashboard” first or rearrange the navigation bar to show the “Your Stats” first would generate a better ‘flow’.

**********

You have two pages (“Dashboard” and “Your Stats“) that shows statistics. I agree that having some statistics on the dashboard would be great (IF you display “Dashboard” first after log in).

Statistics on dashboard page

Honestly, I am a bit confused which page you intend to come first. But based on my experience using blogger.com, their ‘dashboard’ comes first. Let’s assume your Dashboard comes first, then the statistics provided in the dashboard should be a general overview of all the statistics. While the statistics in “Your Stats” should be a more detailed version of it.

After analyzing your statistics, I can only know today’s impression, total impression from day one (I think) under “Total” and “Your Stats” page, the past 7 days impression, and monthly impression starting from 2 months back. Why I say 2 months back is because there is no statistics that shows impression for the current month (April) and the previous month (March).

TenthOfMarch recommends:
Add statistics for the current and previous months. It would be great if you can provide a daily statistics for at least the past 30 days. Some graphs would visualize the data better.

**********

If you look at the picture below (in their Dashboard), you will notice my account status is “Pending“. There are 3 reasons why it is pending but I want to highlight the 3rd point — Demographics Poll 100 more needed. I am not sure if it is only me, but I haven’t heard anyone complaining about this.

Firstly, they restrict members to have at least 100 unique visitors to their blog before they can join their ad program. Now, after I register an account, they restrict me on an extra ‘requirement’ before I get a chance to see an ad placed in my blog? Is this right? I understand they need to have some ‘data’ before they can target ads on my blog, but they could have at least stated this ‘requirement’ before I joined their program. I think this is wrong but like I said, I don’t see anyone else complaining.

A ‘requirement’ that was not mentioned earlier

The reason why I don’t like the idea of making the users get 100 polls answered before an ad can be served is some (I found two already) of your users have no choice but to ask for answered polls by irrelevant individuals (people that don’t go to their blog but they answered the poll for the sake of ‘helping out’).

Below are two screenshots that I took when I stumbled on Kenny’s blog. (both bloggers’ nicknames are blurred to protect their privacy)

Member begging for poll takers 1 Member begging for poll takers 2

TenthOfMarch recommends:
Inform the users that they are required to get 100 polls answered before ads can be served to them before they register.

**********

My ‘test blog’ is at http://bunnymakemoney.blogspot.com. I notice most of the time that the “Ads Imp” increases together with the “Poll Imp“. Is this a bug or I just don’t understand how it works?

I also notice that a user can repeatedly ‘self-answer’ their own polls. I have done it 5 times just to test it out. All they need to do is refresh the page after each time they answered the poll.

Poll statistics

TenthOfMarch recommends:
After a user has answered the poll, at least store the information into their cookie (or session). That will prevent them from answering it again.

**********

In their “Your Stats” and “Your details” page, there is a note that says:

Please keep in mind that you will not be eligible to view your demographics data, or be eligible for payment until further details about yourself are verified, and further terms & conditions are agreed to. We will contact you shortly regarding additional information needed.

Come to think of it, I have never seen their terms & conditions and privacy policy page before (or did I just missed it?). Is it legal or right to run a website, requesting for users information without a terms & conditions and a privacy policy page? (I am not saying it’s illegal. I have googled and yahoo-ed but found nothing. This is just a question.)

TenthOfMarch recommends:
Change “Your details” to “Your Details”. Add a “terms & conditions” and “privacy policy” page. Ensure the users are aware of your terms and policy by adding a link at the registration form and a checkbox that they have to tick before they are registered.

**********

Next, the “Your details” page.

Your details page 1

Your details page 2

Your details page 3

It is very seldom that I come across a form that looks like this on the Internet. A professional looking form would look more organized and properly arranged. Apart from the outlook of the form, I found that they did not design the database according to the proper industry standards. If you notice, all the inputs that the user has to key-in are in textboxes. That means that they designed the database to store all informations in this form as plain text.

Data such as “Date of birth” should be stored in date format. “Postcode“, “Children” and “No. of blogs” should be stored as integer type. “Race“, “Religion” and “Language Spoken” should be stored in char(1) or enum, or others. Ironically, two informations (gender and blog category) that are dropdownlist from the ‘registration form‘ are also stored as plain text. Those should be stored as ‘char(1)’ or enum, or other more appropriate types.

A properly designed database would create different type of options for the user to select/input such as textbox, dropdownlist and radio buttons. Below is a screenshot of GMail’s settings form.

Example of a professional looking form (GMail)

So, why should a programmer design a database according to the proper industry standards?

1. Rule Seven: User appropriate types and constraints

The structure of a database is crucial to its ability to transform raw data into usable information. Each database should conform to a set of standard rules designed to optimize its utility. These rules make a database a flexible, usable tool, and not just a place to store information.

2. Poor design/planning

Since the database is the cornerstone of pretty much every business project, if you don’t take the time to map out the needs of the project and how the database is going to meet them, then the chances are that the whole project will veer off course and lose direction. Furthermore, if you don’t take the time at the start to get the database design right, then you’ll find that any substantial changes in the database structures that you need to make further down the line could have a huge impact on the whole project, and greatly increase the likelihood of the project timeline slipping.

3. How to Encrypt Passwords in the Database

Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users’ passwords are still accessible to all administrators who work at the Web hosting company where your database is hosted.

As you can see, designing a proper database according to the ‘standard’ is very important. The proper formatting of the data/information given by their users (that is stored in the database) is crucial to a company. So, how could they have possible missed this point? Therefore, combining all the simple mistakes/bugs that I found in the first review together with their lack of effort in designing a proper database, this is why 2 questions popped into my mind:

1. How much time and effort was put into securing the user’s privacy (password)?

2. Are the users’ password encrypted?

TenthOfMarch recommends:
You should spend more time designing a proper database. The longer you wait, the harder it will be.

**********

In the “Your details” page, there is an item, “No. of blogs“. What if I have more than 1 blog? Do I need to register a new account for each blog? Or one account to multiple blogs? In your FAQ, you mentioned “need to install separate tracking code on each site“.

By the way, in your FAQ, this question “How does the RM10,000 for first 200 bloggers program work?” should be changed to “How does the RM15,000 for first 300 bloggers program work?”, no?

**********

To summarize:
The guys behind Advertlets has put a lot of effort at the ‘front-end’ of their website. I love their poll, design and look. However, I personally feel that they should have balanced their time and effort a little more towards the back-end of their website as well. Iron out all the bugs, find more advertisers and you should be good to go.

My First Video Reply To A Comment

Hi guys. I recorded this video to answer one comment that was posted on JeffOoi’s blog last night. At first, I was planning to record only the proofs to my claims but then I thought, what the heck, might as well record the whole ‘explanation’.

So here is the video. Enjoy.

I actually recorded a few more videos yesterday. I will be posting it up soon. So stay tuned.

TenthOfMarch Reviews Advertlets From The Inside (Part One)

I did mentioned that I will be reviewing Advertlets after I am done with Nuffnang. Doing so must have given Advertlets some advantage over Nuffnang. There have been boastful moments where Advertlets proudly show off the ‘front-end’ of their website — state-of-the-art poll, Web 2.0, demographic etc. With all that in mind, I approached the review with high expectations of what lie behind the login page.

Let’s start off by registering an account. As usual, the interface looks nice with all the rounded edges. The only thing that looks “old” is the “Register” button and the dropdownlist. However, what bugs me the most is the way the form is formatted. In Java we call it the “FlowLayout“. What it does is you put an element in the form on the right of the previous element. You repeat the step until there is no space left, then you start with a new line. That’s exactly how they have formatted this form. This is a very lazy way to format the form. Even the length of the textbox for the “Blog Address” is too short.

Registration Form Layout Not Organized

TenthOfMarch recommends:
Rearrange this form to look more organized. The “Password” and “Verify password” textbox should be side-by-side or one on top of the other. The textbox for “Blog Address” must be at least twice longer. Change the “Register” button and maybe the two dropdownlist to look more “Web 2.0″.

**********

After completing the form, I clicked on the “Register” button. To my surprise, I was greeted by nothing but a plain popup that says, “Registration Successful“. Once again, this is very dull, and may I add, LAZY! You could at least redirect me to a proper page with the appropriate messages.

Registration Successful Message

So I checked my mailbox for a confirmation e-mail but there were no new mails. I checked again for the next 5 minutes, but still no new mail. I had a very bad feeling in my stomach. I tried to login with the username and password that I created a while ago, and I was logged in. I was SHOCKED! Few weeks back they said they had a DDOS attack. And now they have an open registration without a verification system? Aren’t they afraid? Anyone with some basic knowledge of HTML can create a script to fill up their database with junk accounts using fake e-mail addresses in 5 minutes.

TenthOfMarch recommends:
Create a better looking confirmation page. A javascript popup is a bit too lazy, don’t you think? Add a layer of registration verification where users have to reply or click on an activation link before their account is created.

**********

I wasn’t satisfied with their registration process. In fact, I had a feeling that there are more things to be discovered in this area. Therefore, I did some further testing. This is when I registered a second account with them. I inserted the same details as the first account (ie. same username, e-mail, blog address, name etc). Again, I was greeted with a dull looking error page that should only be seen by the programmer, and NEVER the end users. Honestly, pages such as these are amateurish. It’s like a shoddy work of an undergrad.

[If there's any IT undergrad reading this and is offended, I'm sorry. I know most of you can do better than this.]

Duplicate Error

Their system rejected my registration because I inserted the same username. Of course! So I change the username (other details remain the same), and tried registering again. To my surprise, it was accepted. Some of you may ask, “So what?” For those who have some knowledge in IT, you’ll know that it is a good practice to refrain a user from registering two seperate accounts using the same e-mail address and blog URL. This is yet another shoddy work with no effort put into designing a proper system at all. I have just done the same test on Nuffnang’s system and they work as I had suggested.

Invalid Username Or Password Popup

TenthOfMarch recommends:
Change the e-mail and blog URL fields to accept only unique values. There should not be duplicate values for those two fields. Create a proper error page with information and links for the user to retry the registration process if their attempt fails.

**********

Confident that I would find more shoddy works, I tested how their system would react to invalid username and password combinations. Sure enough, I was only greeted with a javascript popup that says, “Invalid Username / Wrong Password“. And after clicking the “OK” button, I was staring at a blank white screen. What the …? You should have redirected me to a page where I can retry to login process. And don’t ask me to use the damn “Back” button. The proper way is to display a page for the user to try again, not a damn blank screen.

TenthOfMarch recommends:
Create a proper error page with information and links for user to retry their login process.

**********

BUG Of The Century

I actually found out this bug right before I published this post. It has to be the bug of the century. I wonder if the programmers behind Advertlets are trying to fool the users or themselves. I tested this twice (I have 4 accounts with Advertlets now), therefore I am very certain it’s a bug.

In the registration form, we are required to insert a password into the “Password” textbox. Then, we need to verify the password by typing it again into the “Verify Password” textbox. What ‘every-normal-system‘ would do is to make sure BOTH the passwords matches before the registration process can be completed. If the user mistype the passwords, an error message must be alerted requesting the user to retype the password.

However, I tried registering an account by inserting passwords that doesn’t match (hoping that the system will reject my registration). To my horror, ADVERTLETS’ SYSTEM ACCEPTED IT! :lol: OMG……I can’t believe this.

TenthOfMarch recommends:
You know what to do.

**********

After successfully logging into their system, I immediately found more amateur works. The basic principle of a website is to show links for a user to login or register before they login into the system. However, after the user has logged in, those two links must be removed and replaced with a logout link. I remember back then, some of my weaker coursemates will make mistakes like these. However, to catch a company with experienced programmers making mistakes like this — priceless.

Parts Of The Page That Should Be Removed

TenthOfMarch recommends:
After a user has logged into the system, remove those links circled in the picture above.

**********

I’m finally logged into their system. So far, my experience using their system has been a lousy one. I don’t believe any company should launch their website if they are not ready. In this case, I believe Advertlets’ website lacks the most basic design and functionality any websites should have. It doesn’t matter if they are still in Beta. These are the basic needs for a website. It’s like going to work without brushing your teeth and combing your hair. You may still produce good results, but you stink and look like crap.

I’ll continue with the part two of my review soon. Without revealing any details of my next review, I suggest to those who have an account with Advertlets to change their password ASAP. You must heed this advice especially if you use the same password for all your accounts (eg. e-mail, Friendster, online banking etc.). I’m not trying to create chaos but after seeing all these shoddy amateurish work, I have reasons to believe there is a TINY / MICRO possibility your password may be vulnerable. I’ll explain later. It’s better to be safe than sorry. Until then…