Most active commenters

    ←back to thread

    I hacked a dating app (and how not to treat a security researcher)

    (alexschapiro.com)
    560 points bearsyankees | 22 comments | 12 May 25 16:39 UTC | HN request time: 1.131s | source | bottom
    1. blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]
    Returning the OTP in the request API response is wild. Like why?
    replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #
    2. mooreds ◴[12 May 25 17:29 UTC] No.43965452[source]
    I too am bewildered.

    Maybe to make it easier to build the form accepting the OTP? Oversight?

    I can't think of any other reasons.

    replies(3): >>43965701 #>>43965737 #>>43966261 #
    3. matja ◴[12 May 25 17:35 UTC] No.43965527[source]
    Eliminate your database costs with this one easy trick!
    4. hectormalot ◴[12 May 25 17:46 UTC] No.43965664[source]
    One reason I could think of is that they may return the database (or cache, or something else) response after generating and storing the OTP. Quick POCs/MVPs often use their storage models for API responses to save time, and then it is an easy oversight...
    replies(1): >>43968636 #
    5. ceejayoz ◴[12 May 25 17:47 UTC] No.43965678[source]
    Save a HTTP request, and faster UX! What's not to love?

    When Pinterest's new API was released, they were spewing out everything about a user to any app using their OAuth integration, including their 2FA secrets. We reported and got a bounty, but this sort of shit winds up in big companies' APIs, who really should know better.

    6. Vuska ◴[12 May 25 17:48 UTC] No.43965701[source]
    Oversight. Frameworks tend to make it easy to make an API endpoint by casting your model to JSON or something, but it's easy to forget you need to make specific fields hidden.
    7. ksala_ ◴[12 May 25 17:52 UTC] No.43965737[source]
    My best guess would be some form of testing before they added sending the "sending a message" part to the API. Build the OTP logic, the scaffolding... and add a way to make sure it returns what you expect. But yes absolutely wild.
    8. MBCook ◴[12 May 25 18:16 UTC] No.43965989[source]
    So the UI can check if what they enter is correct.

    It’s very sensible and an obvious solution if you don’t think about the security of it.

    A dating app is one of the most dangerous kinds of app to make due to all the necessary PII. this is horrible.

    replies(3): >>43966056 #>>43966068 #>>43966759 #
    9. ryanisnan ◴[12 May 25 18:23 UTC] No.43966056[source]
    > if you don’t think about the security of it.

    This is big brain energy. Why bother needing to make yet another round trip request when you can just defer that nonsense to the client!

    replies(1): >>43966286 #
    10. pydry ◴[12 May 25 18:24 UTC] No.43966068[source]
    Smacks of vibe coding
    replies(2): >>43966251 #>>43966920 #
    11. bitbasher ◴[12 May 25 18:44 UTC] No.43966251{3}[source]
    I don't think a language model is that stupid. This smacks of pure human stupidity and/or offshoring.
    replies(1): >>43966449 #
    12. Alex-Programs ◴[12 May 25 18:45 UTC] No.43966261[source]
    I assume that whoever wrote it just has absolutely no mental model of security, has never been on the attacking side or realised that clients can't be trusted, and only implemented the OTP authentication because they were "going through the motions" that they'd seen other people implement.
    replies(2): >>43966624 #>>43966880 #
    13. joelhaasnoot ◴[12 May 25 18:47 UTC] No.43966286{3}[source]
    No one would ever hack my app!
    14. orphea ◴[12 May 25 19:03 UTC] No.43966449{4}[source]
    But LLMs are that stupid. Do you remember that guy who vibe coded a cheating tool for interviews and who literally leaked all his api keys/secrets to GitHub because neither him nor a LLM didn't know better?
    replies(2): >>43966524 #>>43966811 #
    15. bitbasher ◴[12 May 25 19:11 UTC] No.43966524{5}[source]
    Fair enough. Since it's trained on human stupidity, I suppose it would reflect that stupidity as well.
    16. ceejayoz ◴[12 May 25 19:22 UTC] No.43966624{3}[source]
    https://en.wikipedia.org/wiki/Cargo_cult
    17. benmmurphy ◴[12 May 25 19:39 UTC] No.43966759[source]
    I’ve seen banks where the OTP code is generated on the client and then sent to the server.
    18. immibis ◴[12 May 25 19:47 UTC] No.43966811{5}[source]
    Is that the same guy who had his degree revoked for creating a cheating tool for interviews and is now a millionaire for creating a cheating tool for interviews?
    19. pixl97 ◴[12 May 25 19:56 UTC] No.43966880{3}[source]
    Everyone that programs should take blackhat classes of some kind. I talk to so many programmers that really don't understand what hackers/attackers can actually do.
    20. MBCook ◴[12 May 25 20:02 UTC] No.43966920{3}[source]
    Could be. Somewhere else in these comments someone was saying they found evidence that the app was coded that way.

    But they also said it was a project by two students. And I could absolutely see students (or even normal developers) who aren’t used to thinking about security make that mistake. It is a very obvious way to implement it.

    In retrospect I know that my senior project had some giant security issues. There were more things to look out for than I knew about at that time.

    21. gwbas1c ◴[12 May 25 21:36 UTC] No.43967689[source]
    It appears that the OTP is sent from "the response from triggering the one-time password".

    I suspect it's a framework thing; they're probably directly serializing an object that's put in the database (ORM or other storage system) to what's returned via HTTP.

    22. oulu2006 ◴[13 May 25 00:14 UTC] No.43968636[source]
    that's my first thought at as well - like a basic CRUD operation that returns the row that was created as a response.