23 February 2010

Store Locator - Software Bug or Security Vulnerability?

Testing a web site is important, and smoke/regression testing would normally be undertaken each time the web site's code is updated or extended. But what about third party code and data on your web site? I was using a shop's store locator and it wrongly identified the two closest store locations to Farringdon Station in Clerkenwell, EC1M. Both Euston Station NW1 and Canary Wharf E14 are further away than the third result, Cheapside.

Partial screen capture showing the website's store locator search for 'Farringdon, London, EC1M, UK' revealing the nearest stores as Euston Station NW1 and Canary Wharf E14, followed by Cheapside EC4M and Covent Garden WC2E, with full address details masked

Intrigued, I zoomed in on the map and the ordering of the first two results swapped. And the data point for Canary Wharf seems to be located in the centre of the City of London, instead of its actual location downriver on the Isle of Dogs. The data point for the first result wasn't even displayed.

Partial screen capture showing the generated Virtual Earth map positioning Canary Wharf 5 miles off-position in the middle of the City of London

So is this a third party problem, or something else? Well, without investigating further you can't really tell, but it's the concept that matters.

This inaccuracy is worrying for a number of reasons:

  • Customers may have difficulty locating shops.
  • It undermines customer confidence and therefore trust in the brand.
  • It indicates a lack of care in the web site's development and may put off online shoppers.
  • It could indicate the presence of a security vulnerability which could be exploited to damage the site, its data or its users.
  • The same geo-location code may be used for other internal calculations such as marketing data processing that affect business decisions.

If you are including functionality or data from third parties, you need to know when that system or service is updated. This notification requirement should be built into contracts. In this case, the data being returned may be inaccurate, formatted in an unxpected manner or be exposing a fault in your own processing of the data. Undertaking input validation on the data provided by the third party and output validation on what you are about to send back to the web site user need to test for reasonableness as well as more technical checks. Why not cross-check that the first result's postcode is closer than the second and the third?

It may just be a problem with the company's own data, but that's even more worrying.

Posted on: 23 February 2010 at 11:12 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Store Locator - Software Bug or Security Vulnerability?
http://www.clerkendweller.com/2010/2/23/Store-Locator-Software-Bug-or-Security-Vulnerability
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/2/23/Store-Locator-Software-Bug-or-Security-Vulnerability
Requested by 38.107.191.106 on Friday, 10 September 2010 at 15:56 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010 clerkendweller.com