16 Mar 2012
When users out-think you
A client wanted to prevent paid users of their product from sending messages with email addresses to the free users. The client felt that allowing such exchanges to happen would make the free users less inclined to upgrade to a paid account. Anyhow, we went ahead and implemented a robust email masking “feature” which blanked out any fragment of text that appeared to be an email address. We felt pretty smug about it because it could even catch smart users who pulled tricks like john at example dot com. Heck, we had automated tests to cover all those edge cases and hairy scenarios!
The users defeated the system in the following ways:
You can contact me off here – jack sp 1967 at g mail (all in one address).
Take the first letter from each of the following words: please don’t count rabbits because they increase everyone’s expectations at great mayhem and internal lost dot clouds over mountains.
When we were implementing the email masking functionality, at one point, I was wondering whether we were going overboard in coming up with all kinds of ways to break the system. In fact, I’m sure I even thought, “Huh, these are probably non-technical folks, so we don’t have to go to really convoluted extents”. Boy, was I wrong.
My favorite exploit included sending the email address using NINE separate messages:
r w a 1 t at gmail dot com
I’m sure even if we had spent two more weeks on the masking feature, we wouldn’t have been able to catch that one!
NOTE: the above messages do not of course contain the actual email addresses of the users.