That “are you kidding me?” moment in customer support
So, my Sunbeam electric blanket died yesterday. Second one in a year.
As a dutiful consumer, I’d really like to report this to the manufacturer, get a replacement and move on. I fill out the “Contact Us” form. Then I get this ludicrous error:
So, you’re going to ask your customers to contact you when they have problems, and then you’re going to actually limit the characters they’re allowed to use in the QUESTION that they’re asking you?
Asking me to avoid using quotes, colons and semicolons in written English is completely ludicrous.
And yes, I know why they do this. It’s because they attended a course on secure programming which told them how to do input validation.
Input validation is not the shizzle
I am constantly amazed as to how frequently I have to ram this point home to developers who have learned one trick to protect against injection attacks.
“Validate ALL input – reject the bad characters!” – I’ve heard this from a number of people, including security professionals.
When you CAN do strict input validation based off a restricted whitelist, of course, that’s great – “input a whole number between one and ten” is good for input validation. “Input your name” generally isn’t, because names have a habit of containing characters that are known to be ‘bad’ characters in a number of cases, such as “O’Donnell”. Apostrophes are bad in numerous cases. “Input your question”, as in this case, is likely to elicit all kinds of funky characters.
And, as I ask the candidates on my phone screen interviews, what do you do in the case when you have a web app which stores to a SQL database, and its task is to store XSS and SQL injection attacks. <sigh> Clearly, you have to use acceptable output encoding. Apparently, Sunbeam’s web developers are not good enough to know when to stop using input validation, and start using output encoding.
Even less smart
My suspicions are confirmed when, after typing in a correctly formed question, the model number of the blanket (which, curiously, isn’t anywhere on the blanket or its controllers), the date code on the plug, and my contact details, the web page unerringly provides me with this as its response:
So, I think our next step is to contact Amazon to resolve this customer service issue properly. And not buying from Sunbeam again.