All posts by Mindful tester

Secure things

Reverse Engineering an Account Takeover or what I discovered while updating my email address – part 1

Observations lead to discoveries,

Observations

Last year I made a switch to another mail provider. In order to get the mail in the right inbox I had to change my email address for many accounts. Administration is not one of my favourite things.

To make a start, I chose the most frequently used accounts. I logged in for one account. Using my email address and password. The obvious way to update my email address was to go to the Settings or Account section of my account.

I found my old email address waiting for an update. So, what was I waiting for? I changed the email address and got a message, that a verification mail was sent to my new email address. I already checked the entered email address twice. What was the need for verification?

Time to watch the inbox of my new email account. And yes, there was an email with a link to verify that the email address actually existed. That sounded logical to me. I clicked the link and then things changed.

In my inbox of my old mail account, I got a message, that my email address was changed. That was quite polite.

As a tester I found a security hole. Again.

Discoveries

Naming the terms

If someone else would post something bad on my social media account, them this could lead to reputation damage. If someone else orders something on my shopping account, then I would lose money.

In the case someone else has the user id and the password to an account of me, then account takeover has taken place. That is something I would like to avoid.

In the world of technology it takes a lot of time and energy to make a product or app, which is better than the competing products or apps. In certain cases, it is possible to look at parts of an existing product and figuring out, how it works.

A program is a system, which contains instructions for the computer to do certain tasks. Why should I not use reverse engineering for a cyber security attack. It is just a list of steps.

Using my observations, I could make a test idea for an account takeover.

Naming the condition’s

As a tester I have to look at security. If I use my observations, how would I do an account takeover. In other words, how do I reverse engineer an account takeover?

Sketching a test idea

Here is a rough description to take over an account.

If a laptop is not locked and an account has been opened, then change the email address in the Settings or Personal information section.

Open the verification mail in the mailbox of the new mail address and folow the instructions.

If the mail with mail address change is sent to the inbox of the old email adress , remove it in the inbox. Then remove the mail in the Trash.

Later, go to the Login Page, press on the link ‘Password forgotten’, and follow the instructions.

The account has a new user id and new password. The account has been taken over.

Recommendations for the user

Log out or lock the laptop, if you leave it alone.

Check your accounts regularly.

Open only accounts, if needed.

Use two factor authentication.

Looking forward

In the next blog post I will describe a situation with high level of security and appropriate measures.

To be continued.

Accessibility, Assistive technology

How to convince a tech outsider with a car

How to convince a tech outsider with a car

Sharing a concern

A few years ago, I talked with a man about accessible programs. People with disabilities have problems with certain programs. If someone  has a problem with sight, then a screen reader is important to understand the program. If this program has not been set up in the proper way, then the user does not hear what is going on.

I said that it was difficult to change the code. In return I got a weary glance. He was probably thinking about replacing some lines of text by other lines.

The man did not know anything about software engineering. It was time to use an example which was understandable for him.

Throwing in a car

So, I asked him: “Name a car brand.”
He answered with: “Porsche.”
That man had an expensive taste. How could I beat that?

I remembered another car brand:
“I have a Lamborghini.”
He exhaled.

Then I mentioned a task:
“Replace the engine of the Porsche with the engine of the Lamborghini.”
He tried to imagine how to accomplish this task. With a worried face he gave up:
“It is not possible.”

Then I said:
“Making existing code accessible is like replacing an engine of a Porche with an engine of a Lamborghini.”

Owing an explanation

The first step is to build the engine in the car. Of course, nuts and bolts might be reused. But are the holes in the engine on the same place as the holes in the chassis.

Keep your engine on board.

Keep your engine on board.

The next step is to connect the moving parts of the engine to the rest of the car. An example is the axis to turn the wheels.

The main purpose is turning the wheels instead of making impressive sounds.

It is also important to realise that changing an engine can have impact on other parts of the car. A project member once told me, that people forgot to improve the brakes after upgrading the engine.

Keep a good grip,

Excusing for the scale

While blogging, I described an extreme case of replacing. There are programs or web sites which can be made accessible in a simpler way under the right conditions.

Assistive technology, Teach things

Things which were not on my 2024 bingo card

A while ago I was one of the translators of “Agile Testing Condensed” by Lisa Crispin and Janet Gregory. I used dictation and screen readers to translate text from Englich to Dutch. One of my blog posts about my experiences got the attention of a test company on the internet.
https://www.linkedin.com/pulse/best-test-reporting-tools-2024-lambdatest-bpjye/?trackingId=a42I9SPaRE6%2Bp0mTX7tDuw%3D%3D

This spring a school of my kids organised a job event. I talked about testing and finding interesting bugs. The challenge for me was to tell about testing using an absolute minimal amount of technical stuff.

I got remarkable notification of the Club of Ministry of Testing. I was in the top 10 of people with the highest numbers of days visiting the Club om 2023.

With GDPR in my mind, I reported an incident about a data leak. I got a response.

My strangest feat of this year was drinking coffee, while reading a book on the table and looking forward instead of down. I did not use a straw. I was reading braille.

Beginning 2024 there was no news about the Dutch Braille Challenge. Then I heard, that the second edition would take place. The goal is to stimulate people to use braille. There were groups for absolute beginners, people with some basic skills, and experts. The goal is to stimulate people to use braille. There were groups for absolute beginners, people with some basic stills , and experts.

This summer I saw the quantum processor and a Babbage machine in the Science Museum in London. A quantum processor is very fast processor, but must be handled with special care. The Babbage machine was a calculator developed 200 years ago.

This July I felt the underground while sitting on a bench.

This year I wrote some blog posts about testing, System 1, and System 2. I added new lyrics on “My Favourite Things”, “Take Me Home, Country Roads”, and “Miss American Pie”. A music teacher one challenged me to make song texts which rhymed. It took me a few years to accomplish the feat with “Miss American Pie”.