←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 10 comments | 12 May 25 16:39 UTC | HN request time: 1.861s | source | bottom
Show context
blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]
Returning the OTP in the request API response is wild. Like why?
replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #
1. MBCook ◴[12 May 25 18:16 UTC] No.43965989[source]
So the UI can check if what they enter is correct.

It’s very sensible and an obvious solution if you don’t think about the security of it.

A dating app is one of the most dangerous kinds of app to make due to all the necessary PII. this is horrible.

replies(3): >>43966056 #>>43966068 #>>43966759 #
2. ryanisnan ◴[12 May 25 18:23 UTC] No.43966056[source]
> if you don’t think about the security of it.

This is big brain energy. Why bother needing to make yet another round trip request when you can just defer that nonsense to the client!

replies(1): >>43966286 #
3. pydry ◴[12 May 25 18:24 UTC] No.43966068[source]
Smacks of vibe coding
replies(2): >>43966251 #>>43966920 #
4. bitbasher ◴[12 May 25 18:44 UTC] No.43966251[source]
I don't think a language model is that stupid. This smacks of pure human stupidity and/or offshoring.
replies(1): >>43966449 #
5. joelhaasnoot ◴[12 May 25 18:47 UTC] No.43966286[source]
No one would ever hack my app!
6. orphea ◴[12 May 25 19:03 UTC] No.43966449{3}[source]
But LLMs are that stupid. Do you remember that guy who vibe coded a cheating tool for interviews and who literally leaked all his api keys/secrets to GitHub because neither him nor a LLM didn't know better?
replies(2): >>43966524 #>>43966811 #
7. bitbasher ◴[12 May 25 19:11 UTC] No.43966524{4}[source]
Fair enough. Since it's trained on human stupidity, I suppose it would reflect that stupidity as well.
8. benmmurphy ◴[12 May 25 19:39 UTC] No.43966759[source]
I’ve seen banks where the OTP code is generated on the client and then sent to the server.
9. immibis ◴[12 May 25 19:47 UTC] No.43966811{4}[source]
Is that the same guy who had his degree revoked for creating a cheating tool for interviews and is now a millionaire for creating a cheating tool for interviews?
10. MBCook ◴[12 May 25 20:02 UTC] No.43966920[source]
Could be. Somewhere else in these comments someone was saying they found evidence that the app was coded that way.

But they also said it was a project by two students. And I could absolutely see students (or even normal developers) who aren’t used to thinking about security make that mistake. It is a very obvious way to implement it.

In retrospect I know that my senior project had some giant security issues. There were more things to look out for than I knew about at that time.