Alleged Arist hacking has lit up the Hong Kong blogosphere

News is spreading fast on the Hong Kong blogosphere that Arist way may well be a scam.

Arist has been profiled in Unwire Hong Kong: here and here. Anyone who wishes to see what Arist said can go to the Kickstarter comments page or the Unwire article. Backers on Kickstarter believe this allegation of hacking is complete nonsense.

The big news is that they allegedly showed a video of the app running a coffee machine. However, we all know videos can be fabricated. They also address many critics and allegations of scamming. Visit this Reddit page for a translation of the articles. The translation is also available in a subsequent post.

Additionally, according to a penetration test of the Arist website done by Samiux, Arist’s website was poorly protected and this may have compromised thousands of credit card users.

So, what’s wrong with the web site? We know that WordPress 4.1.1 has vulnerabilities on Same-Origin Method Execution and Unauthenticate Stored Cross-Site Scripting. There is also a SQL injection vulnerability on WooCommerce recently (dated March, 2015). Meanwhile, the most interesting thing is that the site is running a private SSL certificate for the shopping cart part. In addition, the site is running quite slow and the WooCommerce do not accept PayPal. It accepts credit cards only.

The point is, unlike Paypal or other secure transactions, it seems like backers on their website submitted credit cards in an unsecure fashion.