- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
TRWTF is authenticating users via an argument in the URL.
That'd be the FRIST lawsuit of many.
Admin
Another thing: Are string hashcodes in Java identical for all versions? I know that .net outputs different strng hashes for different versions of the runtime.
Admin
Hashing the user id makes a change from hashing passwords (not that most WTFs we see do that).
Was the original programmer smoking something?
Admin
Admin
32768 is the ceiling for int in VB6. Coincidence? I think not...
Admin
32768 users should be enough for everyone!
Admin
The Real WTF:
System.out.println("102".hashCode()); The result was 48627.
While they were trying to ensure that the app never sent a value bigger than 32768.
Admin
Unfortunately for this story: there isn't a single collision for ids generated by this mechanism for the first 500 million numerical ids.
Admin
Admin
"user=102".replaceAll("user=", "user=48627");would result in "user=48627102" with the user id being 48627102 and not 48627.Admin
Or you know it might just have something to do with it being the limit of 16-bit signed value..
Which will crop up all kinds of places, ints in 16-bit code, short db attributes, maybe some idiot decided to make value in struct int_16 so it would byte align neatly or something.
Its fun ragging on <= VB6, and all but anyone who has been doing any programing more that week should have run across 32768 and have some idea what the core reason for its significance is; without know anything about what this application does, and what technology is in use, I'd lay odds that yes
is very much a coincidence.Admin
Admin
Using the hash code formula posted above the highest number with a hash code smaller than 32768 is 99.
Admin
Correction: to be exact every number between bigger than 99 and smaller than 1000000 is guarantied to not work.
Admin
The Java documentation states that Object.hashCode() returns a value of the type "int", which, surprisingly, translates into a "32-bit signed integer".
Ah well, perhaps the reasoning was "32768 starts with 32 so it msut be a 32-bit value".
Admin
Although the code is a WTF in the first place, I actually agree with Anders that a ticket should be created first before the error will be solved (if not already done). Doesn't look like an easy fix and a ticket helps tracking and documenting the solution. Nobody is helped by panic about it.
Admin
Instead of doing anything to fix the issue, Jan wasted valuable time arranging a meeting to gossip with his buddy Anders instead. No wonder Jan was let go.
Admin
With a hammer would be my prefered method.
Admin
32768 is just a 16 bits int max value (2^15). Could be any other languages, with 2 bytes int.
Admin
On someone's fingers (or head), I might add.
Captcha: genitus -- This developers genitus was showing. (This was just wrong on so many levels!)
Admin
A Jan Hammer?
Admin
There is this little thing in computers called binary, suggest you look it up some time before concluding that 2+2=vb6
Admin
Fortunately for this story, I have no trouble whatsoever imagining that a vendor who required that the IDs be small was either allowing the ID to wrap, or using their internal maximum for everyone who exceeded the limit.
Admin
A few things are odd about the story, though:
For all we can see, the user-id gets transformed just to create an url for an iframe from "an external vendor".Sure account creation would be handled by Jan's shop? How could that fail if the user-id is auto-generated by the database? How can the external vendor play a role in that? If all he provides is an iframe?
Again, how is that possible if the accounts are handled by Jan's shop? I mean, being looged in as another user. A user might see some other user's data if that data is shown in the iframe supplied by the external vendor, but only then.But since the external vendor obviously does not authentificate a user by a password (hash duplicates might occur but these two users having the same password? Unlikely), that data would also be visible to the world if someone took the iframe url and began experimenting with the number following "user=".
I think this story has been embellished a lot around a small "32-bit integer hashCode() vs 16-bit integer expected param" WTF.
Admin
If you need to make a change in a system and don't really know how it works, you have to know the motivation behind the code that you're changing. Otherwise you risk making new bugs. For example, it was Anders who told Jan that the external vendor's IDs have to be 16-bit.
Admin
An unsigned 16-bit int goes up to 2**16-1, 65535, and down to 0.
Or have I been trolled?
Admin
Admin
Admin
Fortunately for this story, sequential IDs aren't a requirement.
Admin
I used to work as a transport coordinator at a local hospital (2000-ish). In cooperation with our local air ambulance company, we obtained the new flight tracking software they were using. The software used a database backend called 4G; I'd not heard of it at the time. It also stored data -- medical, patient data -- on the non-local vendor server. Every customer.
The vendor admitted it was possible, however rare, that the software or the server could screw up and we'd start seeing call information/patient data for other customers. If that happened, we were to call tech support immediately. The product started out as an in-house project for an air ambulance in Florida. They had this delusion of how great their software was and decided to market it.
TRWTF? Even with their admission of the bug, our air ambulance company STILL bought it.
Admin
Admin
Kerberos.
Next question please.
Admin
I think "Stop hitting yourself" would be an equally valid answer.
Admin
What has the world come to when a person can't even make a VB joke without getting pounced on?
Admin
Admin
+1 Mirth. Featured comment, please.
Admin
"Jan" is a dude?
Admin
EDIT: From the non-encyclopedia:
Admin
Admin
Post params would also be insecure. Anything served to a user is modifiable by that user.
Simple mechanism: generate a token (can be as simple as a concatenation of the username and a random, unused n-digit key), send it to the 3rd party server to state that it belongs to the given user. Any invalid or pre-used tokens fail.
The key is given to the user via the iFrame URI, and that associates the user with their session via the key given.
More elaborate version (for the case when the 3rd party server is written by idiots): create a proxy application which sends manual requests to the other server, server side. A bit of a bodge but better than the alternative. The user has no access to the auth of the 3rd party server, and authentication is implicitly linked to their own login.
TDWTF version: hash their ID. They'll probably never guess anyone else's ID, right? Obscurity and security are two different concepts sigh
Captcha: facilisi - The people who control the illuminati.
Admin
Out of sheer morbid curiosity (and asbestos underpants are firmly affixed), hypothetically: IF we were developing our own web services, and IF as part of that development I needed to communicate/operate/etc. with another 3rd party service over which I had no control, and IF that 3rd party wanted ID/password but didn't support Kerberos, then wouldn't I have to roll my own solution? I mean, there exists times on the web where the only option is to send and ID and password to someone (oh gosh!).
Just curious, but as many years as I've been doing this, Kerberos is not really ever been the blanket answer -- for us Unix dudes anyway (has it?).
Admin
Any multiple of 2 (or adjacent value like 32767) should automatically be suspect as having triggered a rollover condition--a variable having met its threshold/ceiling and started back at 0 (or, in cases like this of signed values, a negative equivalent like -32767).
The language doesn't matter--both VB6 and the latest whamma-jamma Java, Ruby or C# have datatypes with low thresholds for those purposes that make sense.
Blaming a language for misuse by shortsighted programmers is silly. VB has had long integers since its inception.
Admin
Maybe it isn't a hash collision that's causing user IDs to be duped, but the external website is using a 16-bit signed int as the user ID, and really does require a max of 32767. Any ID bigger than 15 significant bits being truncated?
Extra levels of WTF on the external site might be taking the abs() of the ID, since their testing (ha!) showed that for some unknown reason, big numbers came back negative...
Admin
Admin
Admin
This is a nice example of code reuse.
Admin
I hope you meant any power of two instead of any multiple of two. We may need to strip you of your geek badge.
Admin
Admin
When it's a horrible joke that is completely misguided, everyone will fire away...
Admin
Don't forget to expire the token, as well.