Working at a software consulting company and dealing with customers on a daily basis, I have seen a lot of customer support requests over the recent years. As I am also in charge of customer success, I always try to help the customer achieve what they have in mind, no matter how common or uncommon their use case may be. This time, I was the customer, and my use case was as uncommon as it could possibly be. So I reached out to customer support and eagerly waited for their reaction.

Disclaimer: This is not a sponsored post of any kind, but a recent personal encounter with unforeseen system state in a software product as well as customer support, which I found particularly interesting, and hopefully a little entertaining. So if you draw any conclusion from this post, it should not be whether or not to sign up with any particular service provider, but maybe increase your awareness on edge cases when designing processes, or on how customer support might deal with these.

How It All Began

Let’s start at the beginning: On January 8th, I received the following newsletter from a company I did not even remember having signed up with at all:

Since the offer sounded interesting, I tried to reconstruct whether I had indeed opened an account with them sometime in the past. I first looked into my password manager, which did not contain any entry for that site. Still unsure, I entered the e-mail address the newsletter had been sent to into the „forgot password“ form on their site. Sure enough, I immediately received an e-mail with a link to reset my password, and was then able to log in. I noticed they had an old address of mine, so I was pretty sure I actually opened an account there several years ago. Since I now intended to finally use their service, I updated my address record, and browsed around the account settings pages in order to find out where I could order the new eSIM they had promoted in the newsletter.

Encountering the First Problems

This is where things started to get weird: Most settings pages did not show any information. There were three sections: „connections“, which had one entry, then „devices“, which showed blank white page, and „numbers“, which was complaining that there were no devices registered, and offered a link to add a device. To my surprise, clicking that link did not have any effect. In summary, I was not able to do anything in my account settings, let alone order an eSIM.

I remembered that the main landing page had a huge button to order one, so I figured maybe that button would do just that, now that I was already logged in. So I went back to that page and clicked the „activate eSIM“ button. Sadly, it ignored the fact that I was logged in and already knew all the relevant details about me, and just put me into the regular sign-up process for new customers.

RTFM

At that time, I thought there has to be an easier way to do this, so I canceled the registration process and instead searched the help pages in order to find out how to add an eSIM to an existing account. Sure enogh, I found the following instructions:

My account settings quickly reminded me of the fact that the „devices“ section was completely blank. In particular, there was nothing to click on. This is when I concluded that not the account settings page in general had a problem, but something about my account had to be broken.

Reconstructing What Happened

A search trough my e-mail archive brought several interesting things to light:

• I had signed up in May 2013.
• I never completed the sign-up process.
• I still had a reminder e-mail with a link to complete it.

Continue to Step 3

Out of curiosity, I clicked the „continue to step 3“ link in that six-and-a-half-year-old e-mail. To my great surprise, I was greeted with the following web page:

It seemed to work! I just clicked a link that was old enough to go to school by now, and my sign-up process just continued – although the site had surely been revamped several times in-between? With my mouth still wide open, I selected one of the suggested mobile numbers and hit the „next“ button…

Ok, so although it initially looked as if I cloud just continue signing up, my account seemed to be in an undesired state, which did not let me sign in and manage it as intended, but did not let me continue signing up either.

Last Resort: Customer Support

Finally, I decided to write to customer support, describing the situation and asking if there was any way they could put my account back to a valid state, although I was the one responsible for it being in that state in the first place. (I guess nobody creating database migration scripts throughout these years might have thought of accounts that had been in some in-between sign-up step for that long.)

30 minutes later (wow!) I received an e-mail saying they tried and fix my account, confirmed my address change, and asked me to log in again. In addition, they mentioned that in case their fix did not resolve my issue, they might have to delete my account, which means I would have to register as a new customer. I was a little excited when I entered my account credentials (i.e. let my password manager do so). Other than previously, I was not greeted with half-empty seeings pages, but instead sent directly to step 3 of the sign-up process („choose your number“), which seemed reasonable to me. My excitement came to a hard stop when clicking the „next“ button led to the same „server error“ page as before.

Fiddling Around

Knowing my only alternative would be to lose the account and having to start over again, I decided to look a bit deeper into what actually went wrong, which HTTP calls were being made, which succeeded and which failed, etc., so I opened my browser’s debug console. There, the next surprise was already waiting for me:

Kudos to the folks at simquadrat for putting that message there. It never occurred to me that stealing accounts via manually injected script into a logged-in web session was a thing, but it makes a lot of sense. If you can trick someone into putting some arbitrary JavaScript into the console while being logged in to their account, you can potentially extract any information about their account to any server of your choice. And lots of people have never seen their browser’s dev tools, so they don’t know what they are supposed to do or not to do in there.

That being said, I did find the HTTP call leading to the error page. It was, however, basically just transmitting the selected number to the server, which returned that HTTP 500 error page without any additional information. Being curious what the registration flow for new users would look like, I logged out and went to the landing page in order to start a fresh registration. After all, this was what support had suggested anyway, so I could as well inspect what happened there. Again, the browser console had a pleasant surprise:

Another Support Channel?

I was not looking for a job, but I decided I might have found a bug to fix, so I wrote a quick e-mail to the address mentioned in the message, describing the issue. I also provided the ticket number I obtained through the regular support channel, in order not to cause duplicate efforts. The next morning, I received another reply to my initial ticket, telling me that after taking a closer look at my account information, they came to the conclusion that it was beyond recovery, and kindly asked me to delete it and start over.

Over all, I was genuinely impressed with the reaction time and high quality I received, given the fact that my request was all but an everyday one. That being said, I did sign up for a new account and I’m currently evaluating their service.