(alexschapiro.com)

560 points bearsyankees | 2 comments | 12 May 25 16:39 UTC | HN request time: 0.501s | source

Show context

blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]▶

Returning the OTP in the request API response is wild. Like why?

replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #

1. hectormalot ◴[12 May 25 17:46 UTC] No.43965664[source]▶

One reason I could think of is that they may return the database (or cache, or something else) response after generating and storing the OTP. Quick POCs/MVPs often use their storage models for API responses to save time, and then it is an easy oversight...

replies(1): >>43968636 #

2. oulu2006 ◴[13 May 25 00:14 UTC] No.43968636[source]▶

>>43965664 (TP) #

that's my first thought at as well - like a basic CRUD operation that returns the row that was created as a response.

↑

I hacked a dating app (and how not to treat a security researcher)