←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.248s | source
Show context
blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]
Returning the OTP in the request API response is wild. Like why?
replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #
1. ceejayoz ◴[12 May 25 17:47 UTC] No.43965678[source]
Save a HTTP request, and faster UX! What's not to love?

When Pinterest's new API was released, they were spewing out everything about a user to any app using their OAuth integration, including their 2FA secrets. We reported and got a bounty, but this sort of shit winds up in big companies' APIs, who really should know better.