How the heck does a bug with a single quote make it past QA, let alone crash an app?
I was expecting some kind of SQL injection, which you could at least understand as a result of incompetence. Or I can similarly understand UTF-8 bugs or whatever.
But it's not like O'Brien is an uncommon name. I don't know if I'm more mystified by the fact that this made it past testing, or that rather than the reservation lookup just returning no matches it actually crashes.
I'm really trying to imagine what possible code could be crashing. I guess my best guess is an off-by-one error in a function trying to escape strings for use in a SQL query, that leads to inserting infinite quotes and running out of memory. But then I can't imagine who would be writing their own escaping function...
A QA engineer walks into a bar and orders a beer. He orders 2 beers. He orders 0 beers. He orders -1 beers. He orders a lizard. He orders a NULLPTR. He tries to leave without paying.
Satisfied, he declares the bar ready for business.
The first customer comes in and asks where the bathroom is. The bar explodes.
> How the heck does a bug with a single quote make it past QA, let alone crash an app?
I've reviewed code where the Linux kernel documentation states the function WILL return -1 if the feature is disabled, pointed it out in code review, they merge it later (completely ignoring my comment), then get the ticket where the user had disabled the feature in their micro-kernel and the app crashes.
Sometimes, it's like some devs just don't care about the unhappy paths.
QA costs money. Why would you spend that money? The clients are captive: replacing the system would mean replacing every room lock which is serious cost and hassle.
I've added infinite loops to error paths to hang the process in a state where a debugger can be attached for further inspection, but those never went into something meant to be released. Maybe that happened here.
> I guess my best guess is an off-by-one error in a function trying to escape strings for use in a SQL query,
I don't think it was crashing, but a few years ago I fixed a bug on the app I'm working on, where we had issues with apostrophes in names with SQL Server (where single apostrophes in strings have to be escaped with another one); as it turned out, another dev had written a buggy replace function, the fix was just to use the replace built in the standard lib. I don't think the dev had written a full escaping function, it was just a method to deal with the apostrophes.
Also in these unstaffed hotels with kiosk checkin did every O’Brian just fail to check in with no recourse in a hell of automated systems? It’s clear there was no escalation path or this would have been caught sooner right? In the end it was the kiosk manufacturer that was informed by the pen tester but all that time in an entire chain of hotels O’Brians were just left hanging with no recourse.
Used to be you could crash the Home Depot POS app (same one is used for employees and self-checkout) by simply not entering in a PO number. Pretty impressive for a company that targets home gamers.
It's much more likely that O'Leary is improperly processed than it is, even by multinationals with years of experience, millions of customers, you name it.
I was surprised Ryanair (who you would expect to be top of the list for cut price software given everything else about them) handles this correctly… but then remembered the name of the CEO.
>2024-03-07: Tried to find information how a vulnerability can be reported to Ariane Systems. The vendor does not use security.txt nor a DNS TXT record for security contact lookup. There is no information on the website how to contact the product security team. Therefore, Pentagrid initially contacted Ariane Systems via support@ariane.com.
Ugh. I've been in a similar scenario and had to report a security bug via the normal support channel for a fairly large-sized company. Never again. It was significantly more work to get the bug in front of someone who understood it and could do something about it than it was developing the exploit in the first place.
After a certain company size it should be a legal requirement to have a dedicated security contact listed somewhere.
Now, after a few good faith attempts to get an exploit in front of the appropriate person at a company, I just forget it. I'm sure there are people in similar situations who, after a few attempts to report to the company, end up selling the exploit rather than forgetting it.
Hard to forget when it'll result in your PII (if you're a customer of theirs) getting leaked, and you'll get, what, a few months of credit report monitoring?
This is pretty hilarious, because I am familiar with these systems, and the correct way to bypass the kiosk mode application is to open the little drawer at the bottom of the self check-in station, and hit Alt+F4 on the little keyboard.
Then you can plug in a USB key and do whatever you want.
In my opinion it is extremely stupid to use Windows Desktop for kiosks. There are always ways to crash or minimize the kioks app. Then you are on the loose.
With Linux and X, it is possible to run X server with a specific app inside. You crash the app, it restarts together with X server.
Of course, in Windows you can specify a different app other than Explorer.exe as "shell" and get a single app session! It just doesn't get used because:
Unfortunately, these systems seem to always been developed by especially clueless people who only ever have seen hammers in their lives and therefore everything looks like nails.
Having said that, the quality of embedded programming always looks subpar. It's like these people see themselves as hardware makers and therefore think they can avoid learning software making 101.
It is amusing to me in a comment about a particular group only seeing hammers and nails that the presented solution focuses specifically on a singular technology / implementation.
You contradict yourself: first you blame Windows then you blame clueless people.
Here's the truth: for any organization the most secure operating system is the one your people have experience in. That's it. Good Windows sysadmins can run a secure Windows shop and bad Linux sysadmins can run an insecure Linux shop. It's the people.
Thing is, it's easy to mess up a Windows kiosk - and hard to mess up a Linux kiosk.
Desktop Windows isn't made for kiosk applications at all, unlike the long gone (and barely related) Windows CE. It's all various sorts of bolted-on crapware.
I've encountered several Linux kiosks where hitting Ctrl+F3 (or 4, 5, 6, 7...etc) just immediately dropped me into a root shell on the device. It seems like most of the time if I can press Ctrl+function key, it'll almost always drop out of the kiosk app at at least give me a login prompt. Sometimes it'll bother asking for a password, sometimes not.
I've also encountered Linux kiosks where the app crashed and it is just sitting at a busybox terminal with root access as well.
If you even slightly know how Windows IoT or Embedded works, setting up a Windows kiosk is pretty dang simple. There's simple wizards baked into Embedded/IoT that walk you through it.
> Desktop Windows isn't made for kiosk applications at all
Fully agreed here. They messed up shipping this with what appears to be full-fat Windows 7. Dumb move on their part.
In general a trademark is only valid within a field. So Dove (chocolate) and Dove (shampoo) are not in conflict, and neither is Delta (air travel) with Delta (plumbing).
The screenshot suggests they use Windows 7 (could be one of the IoT versions that recently still received updates, but I doubt it). I don't think 7 had the system features listed in the kiosk mode documentation.
Exactly this. They should be using a very stripped-down Windows IoT build in kiosk mode. Even for this outdated (and insecure) generation it looks like they're not actually using the Embedded version of Windows. While I don't think that had a named "kiosk mode", there were lots of things one could have done to make it not just crash to a regular full-featured desktop.
On Linux you can make Qt use the framebuffer directly without a window manager. With that setup there's nowhere to break out. And if it crashes to the console - no way out either with no physical keyboard present.
At my 9-5 we make kiosks based on a custom Linux system. Everything is run within Docker containers, so even if you somehow kill the UI it'll just restart the container. VT on the host OS are disabled.
I can see why most companies prefer Windows though for these type of devices. Driver issues with graphics and third party hardware are a constant pain point for us.
Unless you control the whole ecosystem and write your own drivers (e.g. smart TVs), Linux based systems are tricky. I'd imagine Windows has the same issue to some extend, but it's the default target for manufacturers, so their Windows drivers are usually better.
I feel there could be a market for a custom Linux OS aimed for these use cases. Windows licensing is not cheap when you have tens of thousands of devices, and they aren't running the 'Home' version.
An actually good design would be secure even with a physical keyboard. “All” you need to do is keep the keyboard from interacting with the Linux VT system (which is not conceptually difficult).
Honestly this seems like a crazy simple client application bug; simply add a single quote as part of your name and it crashes. How does that pass even incredibly basic QA to make production? Maybe I've been blessed (or cursed?) to only work at shops with full qa teams.
All of these perplexed comments about how it could happen make me feel like I live a cursed life.
Customer maybe can’t understand/accept the real cost to do a good job.
Matching this, management probably prioritises hitting deadlines over anything else and multiplying the problem by employing unskilled developers and testers to save money.
I was expecting some kind of SQL injection, which you could at least understand as a result of incompetence. Or I can similarly understand UTF-8 bugs or whatever.
But it's not like O'Brien is an uncommon name. I don't know if I'm more mystified by the fact that this made it past testing, or that rather than the reservation lookup just returning no matches it actually crashes.
I'm really trying to imagine what possible code could be crashing. I guess my best guess is an off-by-one error in a function trying to escape strings for use in a SQL query, that leads to inserting infinite quotes and running out of memory. But then I can't imagine who would be writing their own escaping function...