Advertlets - A Review..With A Big Login Bug Among Other Things and No I'm not paid to do this...
Today I decided to drop Nuffnang and put up Advertlets ads on my sidebar. Some of you might ask, why not put both instead, but just in case you didn't notice, there's simply not enough space on my sidebar for the two of 'em and Adsense together.
Anyways, I guess this is the start of my review of Advertlets. Do take note that they are not paying me anything for this, not even a contribution to my Xbox 360 fund.
First up, I like the entire look and feel of the main page and the dashboard. The main page isn't sparse, but not too "busy" either. However, I did find out a bug or two. Here's the sequence of events:
Anyways, I guess this is the start of my review of Advertlets. Do take note that they are not paying me anything for this, not even a contribution to my Xbox 360 fund.
First up, I like the entire look and feel of the main page and the dashboard. The main page isn't sparse, but not too "busy" either. However, I did find out a bug or two. Here's the sequence of events:
- Enter Advertlets site at http://advertlets.com
- Login with my username and password
- Browser redirected upon successful login to http://www.advertlets.com/publishers/dashboard
- Use the back button or the mouse button on my Intellimouse or backspace to go back to http://advertlets.com
- No indication that I've logged-in
- Login again with the same username BUT key-ed in the wrong password
- Successful login despite the wrong password, and browser is redirected to http://www.advertlets.com/publishers/dashboard
As a programmer and a project manager, I would most certainly give my developers a strongly worded dressing down if they can't get something simple as login, done right. The flaw even happens when you key in the wrong username (or even a blank password) for step 6, it will show a successful login for the previous succesful login attempt.
The dashboard is something you get to see once you have joined Advertlets. It shows your accounts (earnings) balance, profile, blog html codes, earnings and stats. These are pretty standard, but as a former Nuffnang user, I really miss the Analytics page, whereby visit information is logged down. I think it would be an indispensable addition to the dashboard.
In case you are wondering what does the "Stats" page holds. Well, it contains demographic results from the polls conducted by the Advertlet ads on your blog. To me, this is rather gimmicky, Internet advertising is supposed to be seemless and not disruptive to the entire user experience.
I wouldn't want to be polled at Kotaku.com asking what gender am I, etc, etc, for the sole purpose of being served better ads. This is the only reason why I chose the lite Advertlets ad, instead of the one with polls. I don't really want to bother my readers.
There's also a totally rubbish stats summary report which I don't know what to make of it.
This review does sound a little harsh on Advertlets, but here's one good point. I made 50 cents in less than 24 hours. Despite being slow, having money coming in at a steady pace is good, and as a bonus the ads do not look fugly.
In summary, Advertlets is walking a fine line between looking good and fulfilling its (and its users/clientele) needs. While some parts look really nice and the ads seem to function well, some parts feel like they are cobbled together by a caffeinated code monkey.. I know this because I have one in my office too.
Suffice to say that the login has a vote of no-confidence from me.
The dashboard is something you get to see once you have joined Advertlets. It shows your accounts (earnings) balance, profile, blog html codes, earnings and stats. These are pretty standard, but as a former Nuffnang user, I really miss the Analytics page, whereby visit information is logged down. I think it would be an indispensable addition to the dashboard.
In case you are wondering what does the "Stats" page holds. Well, it contains demographic results from the polls conducted by the Advertlet ads on your blog. To me, this is rather gimmicky, Internet advertising is supposed to be seemless and not disruptive to the entire user experience.
I wouldn't want to be polled at Kotaku.com asking what gender am I, etc, etc, for the sole purpose of being served better ads. This is the only reason why I chose the lite Advertlets ad, instead of the one with polls. I don't really want to bother my readers.
There's also a totally rubbish stats summary report which I don't know what to make of it.
This review does sound a little harsh on Advertlets, but here's one good point. I made 50 cents in less than 24 hours. Despite being slow, having money coming in at a steady pace is good, and as a bonus the ads do not look fugly.
In summary, Advertlets is walking a fine line between looking good and fulfilling its (and its users/clientele) needs. While some parts look really nice and the ads seem to function well, some parts feel like they are cobbled together by a caffeinated code monkey.. I know this because I have one in my office too.
Suffice to say that the login has a vote of no-confidence from me.
5 comments:
You'll be happy to know that we are completely revamping the login and analytics, along with the whole system. While we will definitely fix this bug within the next 12 hours (its 3AM, the support staff are awake but not the programmers), we will also take your other comments into consideration.
On a side note, you may want to know and be thankful that that yes - we have switched programmers recently, as well as added new staff (some which have built entire social networking sites) to our team.
To put it in a way: If our old programmer was a "caffienated code monkey", our new programmer is a "200LB Mountain Gorilla on Steroids" :) As our version number (from 1.50 to 1.75 to 1.80) increases, you will see more and more fixes.
What you are seeing is the remnants from the last time. Understand that yes, we desire as much to see a change as much as you do.
For the polls, we've noticed that people have quite different views on them, which is why we provide several options - polls+ads, ads only, polls only. We created the polls only ad code in response to a request to have polls only displayed, as some bloggers were quite keen on finding out more about their audience.
As for analytics, it will be implemented once we have balanced the processing threads. We previously implemented a version which was a lot more complete, but took up valuable processing that slowed down ad loading time.
Hence, as earnings are the most important thing to the blogger, this is the system you see for now. The change will come sooner than you think.
Thank you for your input, and add a feather to your cap for finding a bug we missed. Cheers!
Josh Lim
Advertlets.com
Hi there,
What you had just now experience is is not a login bug but instead XSS (Cross-side scripting) security in affect. While most internet users would consider advertlets.com and www.advertlets.com as a same domain because they pointed to the same location but for browser, JavaScript (XHR) and Cookie the two are considered as different domain.
Now, what happen was when you login from advertlets.com, the form was processed at www.advertlets.com (and storing the cookie for that domain). So it should be fine that you were redirected to your dashboard. But when you use the back button to return to advertlets.com the system cannot use cookie from www.advertlets.com to validate your authentication as publisher at advertlets.com. And when you try to login using a wrong password actually what happen was the system would check for your authentication based on the existing cookie and straight away redirect you to your dashboard skipping the form submission process.
I hope this isn't that technical for everyone to understand.
Zaki
Advertlets.com
Zaki, I'm gonna present you a scenario in the following sequence:
1. User A logins successfully to Advertlets via http://advertlets.com
2. User A closes his browser, in this case it's Firefox.
3. User B goes to User A's computer, opens Firefox and goes to http://advertlets.com, and keys in tom dick and harry user information e.g. wrong username and password.
Guess what happens? User B will be logged in as User A.
Now if Google Adsense were to do this..I will most certainly flip.
why concentrate on new features when existing code is broken? so many problems with your site even though it looks nice. like they said, never judge a book by it's cover. advertlets is a perfect example.
version number increasing doesn't mean anything as well.. while u're just fixing the code, your version numbers shouldnt jump so much. and should be in sequence. similar like to other sites/programs' change logs. you don't see them jumping by 5s or 10s. and they go in sequence. if you have minor changes, change the build number. like those. or bundle all ur updates and fixes into 1 version update. heck, i can call my site version 100 now with the constant editing i do.
advertlets seriously need a QA person to monitor your programmers work. do feed ur people well, else they might lari with some bad code left behind.
ironic. 10/3 revealed about registering with not matching passwords. 9/10 now reveals login vulnerabilities.
To solve it, just click the "LOGOUT" link, I don't think you can go to the dashboard anymore.
Post a Comment