Monday, 2 May 2016

Forget Bitcoin: Zimbabwean dollars is where it's at!

Bitcoin is a well-established virtual currency. Its popularity was largely fueled by a surprisingly strong display of growth in 2013, when the value of a single Bitcoin shot up from around $13 to more than $1,000 in less than a year. Despite a few crashes along the way, Bitcoins are still worth around $400-$500 today, and a variety of online stores and hosting providers readily accept Bitcoin as a method of payment.

Zimbabwean dollars, on the other hand, are somewhat less useful... or are they?

During an intense period of hyperinflation in 2008 and 2009, many of Zimbabwe's banknotes became, literally, worth less than the paper they were printed on. The government attempted to counter the problem by printing larger denominations of notes, and even re-denominating the currency by removing zeros, but this was not sustainable. The Reserve Bank even had to delay production at one point due to running out of special paper for printing money.

By 16 January 2009, the Reserve Bank introduced trillion-denominated notes for the first time, with the largest of these being the 100-trillion dollar note ($100,000,000,000,000). These notes also rapidly became nearly worthless, with one newspaper even using them as printer paper in an advertising campaign.

A zero short: A ten-trillion dollar banknote issued by the Reserve Bank of Zimbabwe.

The Zimbabwean dollar was eventually suspended on 12 April 2009, when the use of stable foreign currency was legalised. This practically eliminated the problems caused by hyperinflation, which had peaked at around 500 billion percent in November 2008. Crazy!

Since then, Zimbabwe has mostly been using US dollars and South African Rand as currency, although Euros, Pounds Sterling, Chinese Yuan and others are also used as legal tender.

In July 2015, several years after Zimbabwe's hyperinflation woes had been brought to an end, its citizens were allowed to exchange the old Zimbabwean dollar banknotes back into US dollars.

This demonetization program gave citizens 5 US dollars for every 175 quadrillion dollars of Zimbabwean notes handed in.

This made Zimbabwe's 100-trillion dollar note worth just $0.40 (US) - a rather paltry amount considering it was the largest denomination ever issued by the Reserve Bank of Zimbabwe.

However, this is where the Zimbabwean dollar gives Bitcoin a run for its money: Zimbabwe's 100-trillion dollar note might only have been worth $0.40 last year, but it holds special value to numismatics who regard it as the banknote with the most zeroes ever shown in its design.

Today, less than a year later, it is common to see these 100-trillion dollar notes being sold online for up to $50 each - more than 100x their exchange value. This is similar to the rate of growth experienced by Bitcoin during 2013.

And like Bitcoins, the number of 100-trillion dollar notes is also in finite supply. No more will ever be printed, and so perhaps that might cause their value to increase further still.

Despite no longer being legal tender, Zimbabwean banknotes are evidently valuable and offer several advantages over Bitcoins. They cannot be stolen by malware or remote hackers, they require no technical knowledge to use, and because they are tangible items they are easier to use in physical transactions.

On the other hand, if your stash of Zimbabwean banknotes burns down in a house fire, it will be lost forever. At least Bitcoin wallets can be backed up.

Wednesday, 22 January 2014

Net Price Direct exposing my personal data


Most web application security testers will agree that after several years of experience you start to develop an incredible "sixth sense" which allows you to estimate how secure (or insecure!) a website is likely to be, merely by looking at the way the site behaves during normal use.  I'm talking about entirely passive observation of the way the site reacts, without even looking at any of the raw requests and responses that are sent to and from the application server, let alone attempting to manipulate them.

This sixth sense unavoidably gets tingled outside of the work place. We all buy things on the internet as private consumers, and that is certainly one such place where I've noticed quite a few suspicious things lately. However, nothing has been quite so glaringly obvious as the problem I stumbled upon tonight!

A few weeks ago, I bought some Lego from an Amazon.co.uk marketplace seller called Net Price Direct (a trade name of Hyde's Toys & Gift Ltd). My order arrived promptly and in excellent condition. I was very happy. Coincidentally, I also happened to buy the same item from their eBay store. This also arrived promptly and in good condition.

Tonight, I visited the seller's own website at www.netpricedirect.co.uk, and I was pleasantly surprised to see that the delivery costs were slightly better if you bought directly from them.  So I added a few items to my basket and went to the checkout (did I mention I like Lego quite a bit?).

As I had never used the site before - but had made previous purchases via Amazon and eBay - I entered my email address into this part of the login page:


All I submitted was my email address. To my disbelief, I was then taken to the following form, which was automatically populated with the personal details I had provided when placing previous orders via Amazon and eBay:


Crazy! All I did was enter my email address, and the website went ahead and gave out my name, address and telephone number.

I tried this from a different browser which had never visited the site before, and the same thing happened. Presumably, if someone has bought anything from their eBay or Amazon stores, but not yet registered an account on www.netpricedirect.co.uk, then their personal details might also be up for grabs by anyone who knows their email address. After an account has been registered, this vulnerability can no longer be exploited.

This seems like a rather daft flaw in the application logic. This amount of personal data should never be handed out to an unauthenticated party who knows nothing more than an affected user's email address.

But wait, what's that thing hovering in the bottom-right corner of every page on www.netpricedirect.co.uk? That's right, it's a Trusted Shops seal, which verifies the site as a "secure online shop"...