In my recent post regarding the AAA application for iPhone I omitted one juicy detail.
I clicked on While you are waiting for battery service and navigated to a couple of the underlying screens, for example AAA Approved Auto Repair. Then I navigated back (button in top left corner of the screen) to my request and to my surprise the application loaded someone else’s data!
I was able to see the request from some random dude, who was waiting for a tow for his Honda Odyssey, complete with his AAA number. I even showed this to a neighbor who happened to be walking his dog at that time. After navigating back and forth a few times I was not able to reproduce the bug, so it must be intermittent.
In my bug report I even affixed:
As a Senior Principal Software Engineer (on hiatus) I strongly recommend that you look into this problem. Until the root cause of this bug is identified, it is conceivable that an exploit could use this bug to access random records in your request database.
Multithreading bug on the server side? Confusion as to ID requirements on both client and server side? This is the kind of bug that could generate a good war story.
At any rate, I obtained a tracking number and the customary
definitely an unusual issue we haven’t seen before from a human. More than one month has gone by… hopefully not swept under the proverbial rug!