(alexschapiro.com)

560 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.324s | source

Show context

blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]▶

>>43964937 (OP) #

Returning the OTP in the request API response is wild. Like why?

replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #

mooreds ◴[12 May 25 17:29 UTC] No.43965452[source]▶

>>43965416 #

I too am bewildered.

Maybe to make it easier to build the form accepting the OTP? Oversight?

I can't think of any other reasons.

replies(3): >>43965701 #>>43965737 #>>43966261 #

1. Vuska ◴[12 May 25 17:48 UTC] No.43965701[source]▶

>>43965452 #

Oversight. Frameworks tend to make it easy to make an API endpoint by casting your model to JSON or something, but it's easy to forget you need to make specific fields hidden.

↑

I hacked a dating app (and how not to treat a security researcher)