Skip to main content
blog title image

5 minute read - Testing

I wish companies offered functional bug bounties - not just security bug bounties

Aug 30, 2017

TLDR; Testers often find bugs in production systems. But with no incentive to raise them we find workarounds and they go unreported.

I wish there were bug bounties for functional defects

This week I found a bug in SlideShare. I say “found” when what I mean is - “for the 3rd or 4th time I’ve had issues uploading slide decks and I finally identified the cause”.

And… SlideShare will (probably) never have the defect formally reported to them by me.

Why?

  • I have a workaround - I don’t need to report it
  • There is no obvious ‘report a bug’ button on Slideshare
  • Slideshare is owned by LinkedIn (no ‘report a bug’ button)
  • LinkedIn is owned by Microsoft (no ‘report a bug’ button)

Now, if there was a bug bounty I would have some additional incentive and I would go beyond my workaround to find the actual edge case limits make it repeatable and see if I could exploit the bug.

As it is, I won’t.

Unfortunately companies do rely on customers raising bugs in their system.

Don’t Brag About not Testing

I read a blog post by a small software company recently, who make a piece of software that I was about to evaluate, entitled “Why we don’t test”. Which seemed designed to say “Alan, do not evaluate this software or use it for any of your data.”

A LinkedIn/SlideShare Bug

The LinkedIn bug is an example of a fairly common pathology set that it is worth being aware of.

  • Errors not reported to the user
  • Front End Validation not matching backend

The situation was:

  • Try to upload a pdf to slideshare, with a title and description etc. The ‘publish’ button is then disabled as the upload happens. Then no indication to the user that the ‘publish’ has finished or the success state of the publication.

All I knew was - hit publish, pdf not published because it doesn’t appear in my uploads. No error message. No way to ‘resend’.

Workaround

I decided to ’edit’ an older presentation to see how much I actually needed to ‘submit’ on creation because it was becoming painful copy and pasting everything into the upload for an having it fail.

Fortunately, this has happened to me before with SlideShare so every time I upload to SlideShare I either:

  • write the title, description, tags etc. into Evernote and then copy and paste from there
  • write the info into the submit form, and copy from the form into Evernote, before I hit ‘upload’

I use a similar process to the above on pretty much every site I use that uploads a form:

  • shopping sites
  • conference submissions
  • slideshare
  • youtube uploads
  • goodreads
  • etc.

Pretty much anywhere there is a ‘form’ I don’t trust it. So this is a fairly common set of problems online.

And the situation usually gets worse when the form uses an XMLHTTPRequest to submit the form via JavaScript.

Having identified that I can edit - pretty much everything after uploading:

  • title
  • description
  • tags
  • uploaded slideshare pdf

I uploaded the pdf with a title and the title copied into the description. And lo it uploaded and I then edited it to get it ‘right’.

I found the problem

The problem was then easy to see on the edit screen.

The edit screen has some visible validation on the form fields. And when I pasted in my description the system told me “should be limited to 3000 characters”:

  • What should?
  • I assume the description because that was what I edited
  • Should the “should” which starts the sentence “should be limited” start with a capital letter and read “Should”? Or was there supposed to be text before it that says “The description field “?

Anyway….

  • The description field in this form actually has a JavaScript ‘character count’ display, so that when you are typing the description you can see if there are limits
  • This character count doesn’t help when you copy and paste, because you lose your input when the form refreshes with the error message

But at least the problem is visible here, an error message is displayed, and I can adjust my behaviour.

I found another problem

After a little while, SlideShare sends you an email telling you that your slide deck has been uploaded:

What I find interesting about this is that the upload process is not fully transactional.

I assume that:

  • it managed to upload the pdf
  • created a temporary title based on the filename
  • failed to process the text form details

Given that this email came through I suspect that on the Slideshare server there exist phantom uploads for slide decks that have failed the text processing stage of the upload.

  • if they exist, I can’t delete them
  • does Slideshare automatically delete them?

Sadly no bounty

Sadly SlideShare have no bounty to share,

And of these bugs, they may be unaware,

I have a workaround, and blog post, so I don’t really care,

This might impact someone else, and that isn’t fair,

But it won’t happen to you, because you know to beware,

And now this post is ended, “It’s finished” I declare,

“C’est fini”, with no further fanfare.


Based on - instagram.com/p/BYaYU20gDu8