loading...

Discussion on: Tell me a bug story

Collapse
tchaflich profile image
Thomas C. Haflich

This one was a bug with a third party vendor. I found the bug for them, and it probably remains unfixed to this day.

We were sending off sheets to be printed, and these sheets included randomly generated unique passcodes of five alphanumeric digits (that is, matching /^[a-z0-9]{5}$/). We had users log into a portal with these passcodes, along with other authentication information. For years, this was the case without issue.

Then one day, I get a support call...

CALLER: Hi, I can't log onto the portal. It says it can't find me?
ME: Hold on one second, let me look you up.
  [I get the CALLER's information and search for them in the database.]
ME: Okay. It looks like your information is all correct on my end. 
ME: Are you seeing any error messages on the screen?
  [We go through the standard debugging steps. You know the drill.]
ME: Can you read me the code on your printout?
CALLER: One, two, three, zero, zero, zero, zero, zero...
ME: Sorry, the five digit code on your printout. 
ME: It should be under the heading "Passcode," in green.
CALLER: Yeah, that's it.
CALLER: It looks weird like it's going over the box or something though.

At this point, I have a suspicion. I look up the details in the database again.

+---------+--------+----------------+----------+
| fake_id |   name | account_number | passcode |
+---------+--------+----------------+----------+
|    9001 | CALLER | ASDF1234FOOBAR |    123E4 |
+---------+--------+----------------+----------+

Some of you may have spotted the issue already. For those who haven't, let's zoom in.

The passcode is listed in our database as 123E4.

ME: I'm very sorry, but can I call you back?

I had to confirm that we sent the passcode out as plain text to the vendor - we in fact did. Whatever process they used to lay out the prints had somehow interpreted our string as exponential notation all on its own.

We couldn't convince them that it was their issue, or tell them how to fix it, so our solution was...

To stop including the letter "e" in our codes ¯\_(ツ)_/¯