←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 6 comments | 12 May 25 16:39 UTC | HN request time: 0.983s | source | bottom
Show context
blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]
Returning the OTP in the request API response is wild. Like why?
replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #
MBCook ◴[12 May 25 18:16 UTC] No.43965989[source]
So the UI can check if what they enter is correct.

It’s very sensible and an obvious solution if you don’t think about the security of it.

A dating app is one of the most dangerous kinds of app to make due to all the necessary PII. this is horrible.

replies(3): >>43966056 #>>43966068 #>>43966759 #
1. pydry ◴[12 May 25 18:24 UTC] No.43966068[source]
Smacks of vibe coding
replies(2): >>43966251 #>>43966920 #
2. bitbasher ◴[12 May 25 18:44 UTC] No.43966251[source]
I don't think a language model is that stupid. This smacks of pure human stupidity and/or offshoring.
replies(1): >>43966449 #
3. orphea ◴[12 May 25 19:03 UTC] No.43966449[source]
But LLMs are that stupid. Do you remember that guy who vibe coded a cheating tool for interviews and who literally leaked all his api keys/secrets to GitHub because neither him nor a LLM didn't know better?
replies(2): >>43966524 #>>43966811 #
4. bitbasher ◴[12 May 25 19:11 UTC] No.43966524{3}[source]
Fair enough. Since it's trained on human stupidity, I suppose it would reflect that stupidity as well.
5. immibis ◴[12 May 25 19:47 UTC] No.43966811{3}[source]
Is that the same guy who had his degree revoked for creating a cheating tool for interviews and is now a millionaire for creating a cheating tool for interviews?
6. MBCook ◴[12 May 25 20:02 UTC] No.43966920[source]
Could be. Somewhere else in these comments someone was saying they found evidence that the app was coded that way.

But they also said it was a project by two students. And I could absolutely see students (or even normal developers) who aren’t used to thinking about security make that mistake. It is a very obvious way to implement it.

In retrospect I know that my senior project had some giant security issues. There were more things to look out for than I knew about at that time.