Misstep 11: To Read This, Pay -$5

Before you run away, there’s no paywall here. I’m not an awful news company unfamiliar with AdBlock afterall šŸ˜‰

This is the third post in a series that, honestly, details how I should have never became a developer. Read the others if you want to see how I’ve screwed up, and learned, from bad design in my past, during my “learning” period.

Thanks for the Karma, kind stranger!

Like Reddit’s karma system, I chose to leverage meaningless internet points as an incentive to promote people to use my website. I didn’t charge to use it, and I didn’t even show ads (for too long). It meant a lot to me that people wanted to use a site I built. So, you’d earn “points” by adding informative articles, voting on them, and having other folks vote on your article.

But what use is a currency if you cannot transfer it between users? Did I invent the first digital currency? Lol. No. But I wanted to.

What did I do right?

  • I treated this like a bank would treat a financial transaction. I kept a full log of every single transfer that happened.
  • I sent a message to the user programmatically whenever a transfer occurred.

So, without transaction fees, international fees, or interest rates, I allowed users to move “funds” between their accounts:

$funds = $member["points"];
	if ($funds<$amt)
		{
		exit ("<font size='4' color='#ff0000' face='arial'>Insufficient funds to process transaction!</font>");
		}
	if ($amt<1)
		{
		exit ("<font size='4' color='#ff0000' face='arial'>I'm sure they'd like a POSITIVE amount...");
		}

Alright, sweet. You cannot:

  • Transfer more “funds” than you currently have in your account
  • Transfer a negative amount.

Well, anyways… This is about missteps, and thankfully I caught this one pretty fast. You were able to transfer points to another user, but the second bit of code wasn’t there in v1. This means, you could say you want to transfer -5000, and I’d grab 5,000 points out of somebody’s account, and deposit it into yours.

Thankfully, audit logs, and an honest userbase pointed this out really quickly and I was able to reverse the invalid charges (and throw some points out to the folks who did it as a finder fee). The next morning I had this corrected and added in the second line.

This is a great example of where QA folks (and automated QA tools) may find some legit screwups in your code, and for everything else, penetration tests and scanning tools may find the rest.

Thanks for taking the time to read this weeks post! See you next week!

About Author


Robert Lerner

Leave a Reply

Your email address will not be published. Required fields are marked *