Who, Me? Greetings and salutations, mighty reader, and welcome once again to Who, Me? in which Register readers like you share tales of the times your effort to deliver tech support went awry.

This week meet a reader we'll Regomize as "Toby" who once worked as a marketing consultant and tech guy - quite the combination - for a digital marketing agency. Basically, as he puts it, "anything that involved code fell into my lap."

One fine day, a client approached this agency looking for an update to its CRM system. The existing CRM was "horrific" according to Toby: "there was no input validation, and it was entirely local and could only operate on one single computer."

Ergh. Obviously an update was needed.

To make things even more fun, the client wanted a new website at the same time as its shiny new CRM, with the added requirement that the contacts on the CRM had to sync with the user accounts on the website, and vice versa. Not in itself too complicated, but the website was being handled by an external agency that was in a different time zone to Toby's agency.

The solution devised was to send webhooks from the site using a WordPress plugin to the CRM whenever something was updated. The CRM would then do the same thing, back to the site, using Zoho Flow.

It sounded good in theory. In initial testing, it behaved as expected, so all was good. The data uploaded as expected, webhooks were sent, data was updated on the other side, and everyone was happy.

So, with a day's satisfactory work done, Toby clocked off.

Then of course the next day arrived, as it was wont to do. When Toby got to work, he opened his email to find an urgent request: "Any clue why we have something like 500 requests to update user?"

Toby did not, as it happened, have a clue. But he soon found one.

It transpired that as Toby slept, the web agency had done its own testing by uploading a payload to update a user on the CRM. The CRM had responded by updating the user and sending a web hook back to the site, which had responded by sending another payload to the CRM. The CRM responded by updating the user and sending more webhooks … and so on ad infinitum.

Or not quite ad infinitum. More like ad until the agency’s Zoho credits ran out. And when they ran out, the webhooks stopped, and everything ground to a halt. The project had been effectively crippled by a self-inflicted DDoS.

Toby had, unwisely, assumed that the web agency had safeguards in place to prevent this kind of recursion. The agency had, unwisely, assumed Toby would build in such safeguards. Since we all know the cliché about what happens when you assume, we will not repeat it here. Suffice to say everyone was an ass.

The worst part was that the Zoho subscription for Toby's agency had only been renewed a few days before, and this little goof had used up the entire allowance for the month. What's more, this client was far from the only thing for which the agency relied on Zoho. So the lack of communication between agencies didn't cause too much of a problem for the client (the system was still in testing after all) but it had a big impact on Toby's employer.

Ever found yourself in the middle of a mess that could have been avoided if only someone had said something? Well, don't keep it to yourself, communicate it to Who, Me? and we'll share your object lesson with others, so they may avoid the same fate. And get a chuckle. ®

https://www.theregister.com//2024/01/22/who_me/