Best of…: Best of 2016: The Website Hacker
An investment bank had just completed development on a new digital retailing platform. Daniel was assigned to a cross-functional automated test team, gearing up to test the platform's web application-or at least trying to. Charlie, a veteran manual tester from QA, had been vocal in his opposition.
"Automated tests need to be tested themselves, which means the testers need to test the tests, so automation doesn't save anything. If anything, it creates more work! Besides, we should always be striving to recreate the user experience as closely as possible!"
Daniel and the other developers insisted that manual testing was valuable, but automation needed to happen too. The conflict marched up the org chart, culminating in a meeting with Charlie's boss, Daniel's boss, their bosses, their bosses' bosses, all the way up to where these branches of the organization finally joined.
The verdict was handed down. Charlie was appointed the leader on testing the web application, running through the same test cases in a manual fashion to catch any problems that fell through the cracks.
The team-developers, QA, and a tech lead-all abandoned their cubes to huddle together in a large conference room. Everything went smoothly until one afternoon, when Charlie piped up with the nervousness of one staring down a cobra poised to lash out.
"Fellas? I don't know how I did it, but I hacked into the website somehow. I see all of the code."
The people seated closest to him glanced up from their work to trade frowns.
"What do you mean?" Daniel asked, glancing across the table at Charlie.
"I'm in the browser, and I can see all of the code!" Charlie explained. "I've hacked into the website. I see stuff like, 'div class equal sign-'"
In other words, the HTML source. Those who were listening in burst into relieved laughter, prompting everyone else in the room to quit their work and pay attention to the faux emergency.
The far more patient tech lead bit her bottom lip to hide her grin. "Charlie, it sounds like you opened the developer tools in Chrome by accident. Press F12, it'll go away."
Charlie hunted down the key and pecked it with a single loud stroke. "OK, it's gone," he said as though he'd just diverted a nuclear strike. His gaze swept over the room with a mix of urgency and confusion. "I'm still really concerned. That shouldn't happen!"
"It's supposed to do that," Daniel explained. "Go to any website you want, you can do that on any of them."
"What?!" Charlie flipped to a different browser tab, then pressed F12 again. "What?! No!"
Another burst of laughter drowned out his concern.
"Check out the leet haxxor here," one of the developers cracked.
"Step away from the computer, Charlie, before you hack the whole Internet!" another developer commanded, pointing a finger-gun at the hapless tester.
"Charlie, it's just-" Daniel tried to say.
"We can't keep using this browser!" Charlie declared. "I'm raising a defect for this!"
"All browsers have something like that for debugging purposes," Daniel explained. "It's not just Chrome."
But as the giggles continued around him, Daniel's plea seemed to fall on deaf ears. Charlie tabbed over to their bug tracker and took to some furious hunting and pecking.
Daniel shook his head. Let Charlie log his defect if it made him feel better. Surely no one would take it seriously.
Unfortunately, QA heads and project leads took "security threats" very seriously. The conflict escalated up through bosses, bosses' bosses, and eventually, the verdict was handed down. To avoid exposing code to users, further web development and testing involving Chrome was suspended company-wide.
[Advertisement] Application Release Automation - build complex release pipelines all managed from one central dashboard, accessibility for the whole team. Download and learn more today!