this post was submitted on 03 Oct 2023
881 points (99.3% liked)

Software Gore

5295 readers
2 users here now

Welcome to /c/SoftwareGore!


This is a community where you can poke fun at nasty software. This community is your go-to destination to look at the most cringe-worthy and facepalm-inducing moments of software gone wrong. Whether it's a user interface that defies all logic, a crash that leaves you in disbelief, silly bugs or glitches that make you go crazy, or an error message that feels like it was written by an unpaid intern, this is the place to see them all!

Remember to read the rules before you make a post or comment!


Community Rules - Click to expand


These rules are subject to change at any time with or without prior notice. (last updated: 7th December 2023 - Introduction of Rule 11 with one sub-rule prohibiting posting of AI content)


  1. This community is a part of the Lemmy.world instance. You must follow its Code of Conduct (https://mastodon.world/about).
  2. Please keep all discussions in English. This makes communication and moderation much easier.
  3. Only post content that's appropriate to this community. Inappropriate posts will be removed.
  4. NSFW content of any kind is not allowed in this community.
  5. Do not create duplicate posts or comments. Such duplicated content will be removed. This also includes spamming.
  6. Do not repost media that has already been posted in the last 30 days. Such reposts will be deleted. Non-original content and reposts from external websites are allowed.
  7. Absolutely no discussion regarding politics are allowed. There are plenty of other places to voice your opinions, but fights regarding your political opinion is the last thing needed in this community.
  8. Keep all discussions civil and lighthearted.
    • Do not promote harmful activities.
    • Don't be a bigot.
    • Hate speech, harassment or discrimination based on one's race, ethnicity, gender, sexuality, religion, beliefs or any other identity is strictly disallowed. Everyone is welcome and encouraged to discuss in this community.
  9. The moderators retain the right to remove any post or comment and ban users/bots that do not necessarily violate these rules if deemed necessary.
  10. At last, use common sense. If you think you shouldn't say something to a person in real life, then don't say it here.
  11. Community specific rules:
    • Posts that contain any AI-related content as the main focus (for example: AI “hallucinations”, repeated words or phrases, different than expected responses, etc.) will be removed. (polled)


You should also check out these awesome communities!


founded 1 year ago
MODERATORS
 
top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 102 points 1 year ago

This looks like Hyundai Bluelink, and if it's not, then it has the exact same issue. The old password was a generated password provided by support.

[–] [email protected] 74 points 1 year ago (2 children)

Whatever site that is, make sure you use a burner email, burner pw (if you get it to work) and joe doe contact info.

[–] [email protected] 48 points 1 year ago (2 children)

To me it looks like their frontend guy just copy/pasted the password field with all validation over without thinking twice. I wouldn’t say this speaks to their general security competence.

[–] [email protected] 41 points 1 year ago (1 children)

While that may be true(copy/🍝), it implies that their code quality and QA process is broken and some of the most important fields/data are not being closely looked it. It certainly DOES speak to their overall security competence.

[–] [email protected] 20 points 1 year ago (1 children)

Eh, I can see how it's missed by testing. The tests probably cover testing non-compliant passwords failing and compliant passwords passing. They were probably updated at the same time the password compliance was updated.

Missing an edge case like this isn't good, but it's not that uncommon.

[–] [email protected] 4 points 1 year ago

Again, a basic code quality issue. If they missed this basic functional code issue, what else did they miss that is exploitable….

[–] [email protected] 14 points 1 year ago (2 children)

Could also be backend validation is broken, so FE just shows the user something useful rather than waiting for backend to reject and show a generic error message.

[–] [email protected] 16 points 1 year ago (1 children)

Found the FE dev. I think there is a JavaScript library for finding ways to blame the backend.

[–] [email protected] 5 points 1 year ago

I mean... I've been both. I have had to punt a problem that caused FE anguish because the project is old, not the priority, and hard to make changes to.

I've also been the FE that was told that they are aware of the problem, and can't get to it for a month, so we need to at least make the UI surface the error in a better way so that the user can go to support for manual intervention.

[–] [email protected] 5 points 1 year ago (1 children)

That would be actively malicious. I don’t know how anyone could get the idea to just show “something” if the backend sends a generic error message.

I’m not sure what’s wrong, but have you checked if your tomatoes are fresh?

[–] [email protected] 3 points 1 year ago

Huh? If backend has incorrect validation on the old password string, and returns an error message like "invalid password" without specifying if it's the old or new password, that's not particularly helpful for front end. And that's pretty common for an API response not to have fine grain details.

The UI is capable of validating up front before the service request, assuming they know the exact validation rules BE uses.

Or the FE just fucked up. Both are plausible.

[–] [email protected] 0 points 1 year ago

Burner PW?

Just use a manager.

[–] [email protected] 26 points 1 year ago (1 children)

Been there, seen that. I got a login into the mainframe of the hospital I was working at. After the first login, it prompted me to change my password. So I did. It had a field width of 12 characters for the password which I used completely.

I logged out and tried to log in again. And found that the login screen password field only allowed for 8 characters.

I got my password reset, chose a new one with only 8 chars, and the first thing I did after completing the login process was to file a bug report. My boss was completely shocked when she got a copy of the report (basically asking who the f-ck is complaining about the computing centers software), and even more shocked when I told her where and how to submit a bug report herself. She had a notebook listing things that had annoyed her to no end on the system...

[–] [email protected] 9 points 1 year ago

She had a notebook listing things that had annoyed her to no end on the system...

I like this. Feedback gives me something to do. Make something better.

[–] [email protected] 24 points 1 year ago

When you take software reuse a step too far.

[–] [email protected] 22 points 1 year ago

Oh God horrible. Also, how did I miss subscribing here??

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago)

What if the requirement is that it doesn't match the previous password?

Edit: never mind. Tired brain.