←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 6 comments | 12 May 25 16:39 UTC | HN request time: 0.301s | source | bottom
Show context
blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]
Returning the OTP in the request API response is wild. Like why?
replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #
1. mooreds ◴[12 May 25 17:29 UTC] No.43965452[source]
I too am bewildered.

Maybe to make it easier to build the form accepting the OTP? Oversight?

I can't think of any other reasons.

replies(3): >>43965701 #>>43965737 #>>43966261 #
2. Vuska ◴[12 May 25 17:48 UTC] No.43965701[source]
Oversight. Frameworks tend to make it easy to make an API endpoint by casting your model to JSON or something, but it's easy to forget you need to make specific fields hidden.
3. ksala_ ◴[12 May 25 17:52 UTC] No.43965737[source]
My best guess would be some form of testing before they added sending the "sending a message" part to the API. Build the OTP logic, the scaffolding... and add a way to make sure it returns what you expect. But yes absolutely wild.
4. Alex-Programs ◴[12 May 25 18:45 UTC] No.43966261[source]
I assume that whoever wrote it just has absolutely no mental model of security, has never been on the attacking side or realised that clients can't be trusted, and only implemented the OTP authentication because they were "going through the motions" that they'd seen other people implement.
replies(2): >>43966624 #>>43966880 #
5. ceejayoz ◴[12 May 25 19:22 UTC] No.43966624[source]
https://en.wikipedia.org/wiki/Cargo_cult
6. pixl97 ◴[12 May 25 19:56 UTC] No.43966880[source]
Everyone that programs should take blackhat classes of some kind. I talk to so many programmers that really don't understand what hackers/attackers can actually do.