Monthly Archives: April 2021

Maps, activation codes and server-side validation

English, Essay, ,

If you skip server-side validation, someone will eventually find out. Hi, I’m someone, and this is a story about why you should think about server-side validation.

Story time

In July 2013, I bought a new, previously owned, Volvo V60. As part of the deal, the dealership included the latest map update. So, I left the dealership with the car and a box containing not one, not two, but three DVDs. Each that would spend hours in the DVD tray while updating the maps.

Now, these DVDs were probably dime a dozen. You could buy them used on the Internet, pick them up at any Volvo dealership and I would not be surprised if they were available for download from the Internet as well. So, to prevent piracy, you had to type in an activation code when starting the upgrade progress. But wait – then everyone with an activation code could sell their DVDs and the code to the next person once they had updated their maps? Well, no. You see, the activation code only worked on your car.

Getting the activation code

The way you got your activation code was simple: you would visit a web site, type in your vehicle identification number (VIN for short) and a drop-down list would show the part number for the maps you had the right to use. I mean, you could literally type in any valid VIN for that brand and model series and see what map options they had. You could even request their activation code sent to your email address. Now that is user friendly.

So, the activation code only worked with the correct combination of map number and VIN. However, when I entered my VIN, the part number for my DVDs did not show up in the drop-down. A few others appeared, presumably already installed by the previous owner.

Apparently, the company selling the maps had not yet received the order from the dealership. This was late Friday afternoon, if I recall correctly, so contacting the dealership would have to wait … but then I thought, what if I change the options in the drop-down list? It cannot be that easy? Surly they would validate the input, check it against their database one more time before sending out an activation key?

You already know the answer; I opened developer tools and changed the product to match the one I had. I pressed submit and a few moments later, voila! You got mail!

“Dear Valued Volvo Driver, […] Here is your activation code.”

Would you look at that. It was almost too easy. So, just to confirm, I found another number on the Internet and, once again, I received an email with a new activation code.

So, here you have a service that gives you a list of choices, and they do not even check if you have selected within that range. That is just lazy.

In the end, I could have saved me the trouble; after the weekend, the part number automatically appeared in the drop-down list, and a year or so later, Volvo put the maps on the Internet for free. All you had to do was download them to a USB stick and plug it into your car. Well, you also had to upgrade your navigation system to remove the need for an activation code, for a small fee, of course.

Doing the right thing

I reported the bug to the company responsible for the map service, but I never heard back from them. Since this service no longer exists, I think it is okay to share this story. I did not break any rules, from my point of view, but I can see how this could have been abused.

To be honest, for a split second, I was thinking about sampling a few VINs, note down the map options and crossmatch them to generate a lot of activation codes, which I then could try to figure out how the code generation worked. But that would have been crossing a line.

So, the takeaway is this: Do not trust the client-side, always do server-side validation.

I don’t keep bookmarks, I keep tabs

English, , ,

Ever since browsers added tabs – and the ability to restore them on start up – I’ve been using them almost religiously. Bookmarks, on the other hand, was never my thing. And while I do have them, 219 to be precise, I don’t use them. They are out of sight, whereas my tabs aren’t.

Right now, I have 30 tabs open in Chrome (I just closed four to tidy up a bit) and 26 in Edge. I have kind of a system, with emphasis on “kind of”, where Edge is used for work-related sites that require login and Chrome is used for (almost) everything else.

Tabs are like to-do lists, ever-growing and mostly ignored.

So, to close a few – and at the same time expose some of my various interests – I will post some of them here. That way I can close a few tabs, keeping just this page open instead.

(I see the irony, no need to point out that this will end up as a glorified bookmark)

On Corona

All I need to know about the corona situation in Norway (in Norwegian). This page is gold if you like graphs and statistics. It’s also an exception to my general rule of not reading VG (it’s a tabloid newspaper after all).

On security and cloud (advent calendar 2020)

You would assume it was possible to read one article per day during December – this was an advent calendar after all – yet it didn’t happen. I never got around to reading any of them. Not one. I’ll might get to them, eventually, once they are outdated.

On learning Vim

I use Vim as my coding editor, for the most part – I’ve written about it before (in Norwegian). My plan is to read these guides some rainy day, so it could be any day now, according to the forecast. Could even be today.

On programming

Reading material or just for reference; I don’t know yet, but I still kept them around.

On stories

The name of this site should be self-explanatory.

On Linux productivity

I use Linux – maybe I could learn a new trick or two. Or maybe I’ll just pretend I’ll find the time to read 89 pages on various Linux tools I’ll never use again.

On algorithms

Algorithms, they are all around us, might as well learn a few. The fact that this site contains 26 e-books – one in what I assume is Chinese – didn’t stop me from keeping it in a tab for months. But will I ever read one of them? Will you? Let me know in the comments section.

On ports and pools

Network ports and connection pools, that is. Obviously work related … I don’t have a pool.

On calculus

What is it? Let’s find out … another day.

On the Internet

It’s no secret: I miss the old Internet, or at least the idea of the old Internet.

There you have it: 16 tabs I can close, pretending I will read them later – just like I’ll pretend to clean up my bookmarks.