Sage Live – Serious SaaS Security Issues
Seeing as my wife is spending most of the evening on Facebook complaining about being kicked from the inside by our unborn second daughter, I thought I’d spend the evening online poking around Sages new online offering – Sage Live. I’ve already had a play with the functionality and reported my thoughts on that. This time I was interested in the technology and security side of things.
A couple of years ago selling web-based software to SMEs was hard. Everyone was concerned about security. Over the years, it’s been accepted that us SaaS providers seem to know what we’re doing. We’ve built up a lot of trust.
Sage seems to be aware that securty is important. They have a few pages about security that all say the right things. But in reality they fail on the most basic security measures. There’s no point in sticking your servers with Rackspace and shouting about how great the security is if the end-users password isn’t protected. After all, that’s all that is needed to get into a Sage Live account.
Defaults to “Remember me”
The default option on the Sage Live homepage is for it to remember your username and password. You can untick it if you like, but you’ll have to remember to untick it every time you log in. Other wise, all someone needs to do is fire up your computer, put in the url and click the Login button. Your password is already there!
Password shown in clear text
I really had to struggle to stop myself adding 3 exclamation marks to that sub-heading. Almost unbelievably, they show your password on-screen when you log-in – in plain text.
It’s sent to their central “passport” servce using a GET rather than a POST – so your password is actually in the requested URL which is displayed in the status bar. See the circled red area in my screen grab below. (click to enlarge)
Make sure noone is looking at your screen when you log in.
Obsolete technology
A little bit of paying around on the web site indicates that the whole thing is powered by a product called BEA Aqualogic. BEA were acquired by Oracle in April last year and the BEA Aqualogic range of products have been discontinued. So before the product even made it in to public beta, the underlying technology was obsolete. This is why the pure-play SaaS companies develop their own stuff from the ground up.
[Edit: Whoops, factual error. As pointed out by a reader below; the link above doesn’t actually say that this product is being discontinued]
Waiting for the Feds!
I’m allowing myself the luxury of an exclamation mark for this sub-heading. A little bit of prodding around the site and I found myself looking at these two pages (click to enlarge)
I know one of them says I only have read-only access. But these are undoubtedly pages that only authorised people should be seeing.
It’s at this point I realised that if I went any further then I could possibly fall foul of all sorts of laws about unauthorised access to remote computer systems. I started to worry that the FBI would be knocking on the door any minute (only half-joking – some of the Sage servers are in the US) and decided I’d better leave well alone.
The security blurb on their site says they have some sort of intrusion detection system that should have locked me out. I think someone might have forgot to put the batteries in it.
Conclusion
Myself and the head honchos at other SaaS accounting firms have been waiting a while for Sage to make a play in the SaaS market. We were pleased when they did. Even the fact that their product was pants didn’t matter. By just getting involved in SaaS, Sage have added credibility to the whole concept.
Now I’m wondering if we’ve all been a bit short sighted. A high-profile security cock-up could set us back years. By the looks of things, Sage are more likley to have a security problem than any of the proper SaaS players. That makes sense. Programming for the internet is a totally different thing to programmig for the desktop. Whilst Sage undoubtedly have years of experience building robust desktop apps, how much experience do they have in building for the web?
UPDATE: Sage took Sage Live offline on 28Tth Jan ’09 due to these security issues.