nikitaavvakumov

nikitaavvakumov

UUID corruption in emailed links?

Hi all,

I’m hoping for some insight into a strange issue.

Our app’s Ecto repo is configured to use as primary keys UUIDs in the standard 8-4-4-4-12 format. The app periodically sends out emails with links to resources, such as /orders/<order_uuid>. Emails are generated using Bamboo with EEx templates for both HTML & plain text and sent via SendGrid.

In over 99% of cases, everything appears to work as intended. However, the app occasionally logs an Ecto.Query.CastError error after someone visits a URL that contains an odd string in place of the UUID. Here are a few typical examples: “NjBlNjhlZW”, “MjA1MDNhZT”, “NmMzYzhiZT”, “ZDQzNDYwZj” - 10 characters, upper- and lower-case letters, rarely containing a number. Given their format, these are clearly not carelessly copy-pasted UUID fragments but something else entirely.

None of the supposedly affected users have contacted us, so we can’t connect these strings to UUIDs that should have been in those links.

Is it possible that these links are actually generated by the app when it interpolates UUIDs into the URLs? Could it have something to do with character encoding used by certain email clients? Do these 10-character strings ring any bells at all?

Any help or hints towards a possible explanation will be much appreciated.

Most Liked

easco

easco

I note that if you take such a string and decode it as a base64 encoded value you get back something that is a valid hexadecimal number. For example:

iex(7)> Base.decode64("ZDQzNDYwZj", padding: false)
{:ok, "d43460f"}

But they each seem to decode to a seven digit Hex number so I’m not sure how that might relate to a UUID.

At work we have a front-end on our mail system that rewrites the URLs on incoming messages as a security measure against bogus URLS (I think it’s this - https://www.proofpoint.com/us). Could it be that some of your users are using something similar which looks for “high entropy” hexadecimal strings and tries to protect the user that way?

sribe

sribe

I see similar requests all the time, in bursts, and I do NOT have inbound links that use UUIDs. I have assumed that they are some kind of probe or attack.

Where Next?

Popular in Questions Top

sergio
In Ruby, I can go: User.find_by(email: "foobar@email.com").update(email: "hello@email.com") How can I do something similar in Elixir? ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
tduccuong
Hi, is there any work on GUI with Elixir, that is similar to Electron/Javascript? My idea is to bundle Phoenix and BEAM into a single se...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

Other popular topics Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement