←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 2 comments | 12 May 25 16:39 UTC | HN request time: 0.001s | source
Show context
blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]
Returning the OTP in the request API response is wild. Like why?
replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #
MBCook ◴[12 May 25 18:16 UTC] No.43965989[source]
So the UI can check if what they enter is correct.

It’s very sensible and an obvious solution if you don’t think about the security of it.

A dating app is one of the most dangerous kinds of app to make due to all the necessary PII. this is horrible.

replies(3): >>43966056 #>>43966068 #>>43966759 #
1. ryanisnan ◴[12 May 25 18:23 UTC] No.43966056[source]
> if you don’t think about the security of it.

This is big brain energy. Why bother needing to make yet another round trip request when you can just defer that nonsense to the client!

replies(1): >>43966286 #
2. joelhaasnoot ◴[12 May 25 18:47 UTC] No.43966286[source]
No one would ever hack my app!