I didn't write on Friday. No, I did not forget it. Actually, I planned t for the afternoon, right after I fix a bug in the job platform. While the deployment was running, I check my email and got an urgent help call, which basically was like "We got a huge problem in our self-coded portal with Spring Boot, and can't find the problem. Can you help?"
Sure, I did and so part of my weekend :-)
Technically, it was a small simple error done in one line of code. It caused to store a token for google logins once per app and not per user. So, whoever logged in the first time after an application start, his token is used for all other login attempts via google. As long as the token was valid, anyone who just clicked on a login button was logged in as the first user. Bam.
The real problem was that they are in a high privacy concerned industry and have to follow regulations too. I think under GDPR they even need to report it now. It is not that bad, basically, around 4 users saw the data of the guy who logged in first. Nonetheless, it is a real pain for them.
The funny thing is, it is a classic. They did test the feature, run pentest by an external company, and generally testing was done too. The one thing, they tested the least, was exactly this login feature. It was just an add-on.
So, don’t neglect testing and test such features with more than one user. Had they done it, they had found it and fixed before going live.
On the other side, it was good for me as I am going to write the bill now :-)
Want content like this in your inbox
each workday irregularly? No BS, spam or tricks... just useful content: