Grr-izon

January 1st, 2006

Since moving to the Northeast I’ve been a customer of Verizon for my telephone and internet service. Being a customer of Verizon is basically the same as being a customer of SBC, as I used to be in San Francisco. Things basically work most of the time, but any time you need to change anything, install anything, pay anything, get anything fixed, etc., you better hold your breath and pray for the best.

Among the sad offerings at Verizon is its infuriating web page. Back in San Francisco I remember being upgraded to “SBC Yahoo!,” and that when I switched to the Yahoo-branded service, at least the web interface for things like billing and services was a bit better.

So when I got a letter in the mail from Verizon offering a “free upgrade” to Verizon Yahoo!, I thought I had nothing to lose.

Grr … it makes me download and install custom branded software. Apparently this is part of the “upgrade.” If you want to play in the Yahoo home page, you have to let it run a scary installer-type program that connects back to the Internet and displays clunky HTML status while it has its way with your Mail and Safari settings.

I should have backed up everything, but I was feeling lazy I guess. Knowing the Telco companies, I should never be lazy. I let it do its thing all over my computer, and when it finally relaunched Safari: surprise! no more bookmarks. And when I say “no” bookmarks, I mean it. It didn’t even stuff a bunch of Verizon marketing bookmarks in there to pretty up the browser. Just a big gaping hole where my bookmarks (in the bookmark bar and menu) used to be.

Of course, it also replaced my home page setting in Safari. To this! Yes, the garbage you see on your screen is what I see on mine, too. Lucky us – living the high life with Yahoo and Verizon.

I was relieved to learn that whoever programmed this little monster was at least concerned enough about their work to make a backup of the existing Bookmarks file. Not that this is acceptable for the 99% of users who won’t freaking know to look in ~/Library/Safari for the lost Bookmarks. But for anybody unfortunate enough to go through this upgrade and suffer my fate, maybe you’ll get “lucky” like I did and find your bookmarks thus preserved.

You can imagine that by this point I was pretty scared to relaunch Mail.app. Another “favor” the Verizon installer did was to reconfigure my Verizon email account in Mail so that it would go through a yahoo branded SMTP/POP server. I could easily imagine this programmer clobbering all of my accounts, assuming that the user “surely only uses Verizon email.”

I’m happy to say that my pessimism in this regard was ill-founded. Whether by skill or dumb-luck, the Verizon installer managed not to obliterate my Mail settings.

Now I’m just hoping it didn’t do anything else that I haven’t noticed yet. Keeping my fingers crossed.

Update By looking carefully through the “installer” program, I was able to find quite a bit of information. I know the name of the person who wrote this code, which I will omit to spare him the public humiliation. I know the name of the company, which I will omit to spare myself from legal harassment (though we should be suing them!), and I know the exact cause of the bug.

The installer is based on a collection of sloppy AppleScripts, and the author was kind enough to leave the offending AppleScript’s source code intact in the shipping image. I know the answer to my question above: was it skill or dumb-luck that caused my Bookmarks to be backed up? It was definitely dumb-luck. In fact, it was a sloppy piece of programming that led to that remnant being left around.

The Verizon installer attempts to inject its bookmarks into the user’s Bookmarks.plist file by:

  1. Making a copy of the existing Bookmarks.plist file.
  2. Erasing the original Bookmarks.plist.
  3. Iterating through the original bookmarks one line at a time, echoing the line back out to the original Bookmarks.plist.
  4. Sneaking its own items in when it feels the time is right.

So what happens when one little thing goes wrong in this nasty mess? You lose your Bookmarks.

This whole thing involves about a hundred bazillion dangerous, presumptuous “do shell script” calls. Instead of using AppleScript’s built-in file access routines, the author has chosen to use shell scripts and the “echo” command to perform all of his writes. For all of his reads, he uses a combination of the UNIX “cat” command with the “sed” and “tail” command. For each line of the original Bookmarks line to be read, he cats the *entire* file and pipes the result through sed and then tail. Seeing this kind of stuff makes me wonder whether half of my hard drive was deleted and I just haven’t found out yet.

So what caused the script to fail, and my bookmarks to disappear? The following line of AppleScript code:

do shell script "cd;/bin/echo '" & theLine & "' >> Library/Safari/Bookmarks.plist"

By assuming that “theLine” will never contain any characters that cause unexpected, perhaps dangerous side-effects to occur, the author has made his disastrous error. Among my Bookmarks is a javascript “bookmarklet” which contains, as part of its “URL” a lot of interesting characters. It’s a JavaScript! The author of the script probably felt pretty comfortable about putting single quotes around “theLine.” By doing so he essentially protected himself from lots of the hairy problems that could arise from special characters like ampersand and tilde popping into the command line. But what about the single quotes in my Bookmark? As soon as the first single quote from the Javascript bookmarklet is hit, the party’s over. As the rest of the string is processed, it’s a crap shoot whether we’re in “safe” mode or not. When he hits the next single quote in my Bookmarklet, *phew* we’re safe again. But soon there’s another one and we’re in danger. It so happens that during one of these unsafe stretches, the script runs into an ampersand. What does the shell do when it encounters an ampersand? It forks the process out and continues accepting commands. For instance, go the Terminal and type:

ls & ls

See how ls gets called twice – sort of concurrently? So every time this piece of work from Verizon gets to an unprotected ampersand in my Bookmark file, it ends the current command and starts up another one. This is what the AppleScript failure looks like when I narrow it down to the offending line:

sh: line 1: amp: command not found
sh: line 1: amp: command not found
sh: line 1: amp: command not found
sh: line 1: amp: command not found
sh: line 1: +(new%20Date).getTime();var%20request=
new%20XMLHttpRequest();request.open(POST,path,true);
request.setRequestHeader(Method,POST%20+path+%20HTTP/1.1);
request.setRequestHeader(Content-Type,application/x-www-
form-urlencoded);request.send(post);};: No such file or directory

It’s damn lucky that “amp” isn’t an alias for “format my hard drive.” Damn lucky for me, and damn lucky for this careless Verizon consultant. Hopefully every other person in the world this happens to will be able to share my relatively lucky escape.

I would try to inform Verizon about this, but to be honest I don’t think I could get through to them if I tried. If anybody in a position to be embarrassed by this happens to be reading, maybe you can help get this brought to the right person’s attention.

Update 2 It’s a lucky coincidence that the data being parsed in this case is fairly well-limited to what Safari will allow you to put in a bookmark. Since Safari converts all spaces in the bookmark (even if it’s inside a javascript block) into an escaped space character, there are no actual spaces in the bookmark text by the time Verizon’s installer gets to it. This is very lucky, because it means a bookmark like “javascript:alert(‘"rm -rf ~; echo ‘)” won’t actually delete your entire home directory. Instead, the shell says something like “command not found: rm%20-rf%20~”.

This lucky break for us doesn’t make the installer any less frightening – it still kills your bookmarks, or at best, just corrupts all your bookmarklets. And I would be surprised if this is the only bug in the installer – I certainly advise any Mac user to avoid running this at all costs. If you do need to run it, I would do a full backup of your computer before doing so.

22 Responses to “Grr-izon”

  1. rentzsch Says:

    There’s no place like True/False/ho_home for the holidays.

  2. Eric Albert Says:

    I have a phone number for the highest level of Verizon’s tech support if you’d like it. It’s a specific group whose job it is to resolve the messiest customer service problems they have. I got the number a couple years ago when activating a Verizon DSL line took two months and 20+ phone calls on my part. Once I was given this number and called this group, they resolved the whole thing in a day or two.

    Anyway, I’m not sure if it’d help for this case, but if you want someone to complain to they can probably help out….

  3. Nathaniel Says:

    This is exactly the sort of thing you should submit anonymously to Slashdot. Verizon won’t be dumb enough to sue them, and they can get a lot of attention to the idiot company that made this atrocity of an installer.

  4. Michael Tsai - Blog - Verizon’s Installer AppleScript Says:

    […] Daniel Jalkut: […]

  5. Chucky Says:

    You really ought to publish the name of the company responsible, if not the name of the actual programmer. Public shaming is one of the best recourses in situations like this.

    And rentzsch wins the award for wittiest comment of the new year.

  6. Daniel Jalkut Says:

    Hi Chucky – I think for now I’ll just try to get the word out that people should be careful with the Verizon Installer. The person responsible for this will be shamed enough if they find this post.

    And Chucky – you didn’t even enter a real email address when you posted your comment – talk about public shame :)

  7. Fred Ehmann Says:

    A few years ago, when they were known as Bell Atlantic, they were promoting their DSL service with a free month. I tried it. Being a thoughtful guy, I ran the installer on my wife’s iMac first. Same result–no bookmarks. She was furious (who wouldn’t be) and although I eventually recovered her bookmarks, it left such a bad taste in our mouths that we decided against the service. Who would think that killing your bookmarks is an acceptable result?! It’s quite unbelievable that it still happens like 4 years later.

  8. arcsine Says:

    I don’t understand why you wanted to run the installer in the first place.

    Most Mac users learned a long time ago to avoid the hinky installers from ISPs and just let the OS handle the interface. Why? Well because most of the time there weren’t any for the Mac and all you needed was 2-3 bits of info.

    What was the ‘upgrade’ offering or promising you? Spyware blocking… virus protection… free popcorn?

  9. Daniel Jalkut Says:

    Arcsine: paragraph two of my original entry explains it: basically the Yahoo! branding brought with it an improved “account management” interface. That’s what I hoped to add to swap in for my dismal Verizon web interface. I have been so turned off by the whole thing that I haven’t actually tested this yet to see if I ended up getting that.

  10. codeman38 Says:

    Oh, my. Apparently this ‘installer’ had a stray null character somewhere in the script, too— note the %00 at the end of the home page URL. Removing it gets you to a page that’s not full of cryptic errors…

    And… wow. On the whole bit with quoting raw strings in a shell script… I seriously wonder how much that programmer was paid.

  11. MissRose Says:

    Hey did you figure out how to retrieve your bookmarks I see the file but I can’t find my bookmarks, I had a lot of important information too. Something told me not to run this crap on my Mac. Let me know if you can if you found something to help…I see I’m not the only one that suffered I had to use Entourage for my mail instead also..just a big mess.

    Thanks in advance…

  12. MissRose Says:

    Nevermind found the solution…thanks anyway

  13. Summer Storm Pictures Says:

    It gets worse. Verizon DSL deleted all my email on my existing Yahoo account when I “linked” it. Fortunately I have a good scheme for backup/forwarding that saves me and Yahoo was just one link in that chain. Thank God for Gmail. Anyway, I would warn anyone about linking their Yahoo email they already have when installing Verizon DSL. If you have to, just create a new account and keep it separate. I admit I am a Mac user in general, but I set up the VDSL using the CD-ROM and a WIndows XP machine because it was for my dad. That went smoothly as far as I can tell — so far…

  14. Adam Says:

    I was wandering where the app makes this backup of the bookmarks.plist at? I have been unable to find it.

    Thanks

  15. Daniel Jalkut Says:

    Hi Adam – it’s been a while since I looked at the problem, but as I recall the backup was right there in the same directory as the Bookmarks.plist (in ~/Library/Safari/).

  16. Matt Says:

    Hey,

    This same problem happened to me today, as I just got FIOS. I can’t find out how to get my bookmarks back.

    Is the file named something different? Any help you can give will be so appreciated. Thank you!

  17. Daniel Jalkut Says:

    Matt: If it’s the same bug then the backup file should be somewhere in ~/Library/Safari. Good luck!

  18. Matt Says:

    Unfortuantely, I haven’t been able to find it in the Users/Library/Safari. :(

    If anyone knows anything else, I’d appreciate the help! Thanks!

  19. Matt Says:

    Hey again Daniel,

    Sorry for posting again.

    One more question.

    Is it ok to rebuild my bookmarks and start using my mail application (I had purchased a domain to start using for mail days before this happened)? Or do I have to worry about Verizon wrecking everything again.

    Also, is there anyway to uninstall whatever Verizon put on my computer? Where would I find it? Thanks. You’ve been more help then Verizon by far.

  20. Andrew Says:

    Hello,
    I just signed up for Verizon DSL and the installer erased my many years of well-organized bookmarks. I could tell that something might happen as I ran the installer. I tried to quickly export the bookmarks list, but it was too late and came out blank. I called Verizon tried to complain, tried to find a way to email a complaint, and ended up submitting a complaint to the Better Business Bureau. I feel your pain Matt. Verizon’s problem is still not fix and it’s already April in 2007. Is there anything to do?

  21. Andrew Says:

    Oh, one more thing. My .plist file was not preserved in the Library it was replaced with a blank 4k file.

  22. Daniel Jalkut Says:

    That’s really terrible news, Andrew. Sorry you didn’t have a backup :(

Comments are closed.

Follow the Conversation

Stay up-to-date by subscribing to the Comments RSS Feed for this entry.