Most active commenters
  • nixpulvis(4)
  • behringer(3)

←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 15 comments | 12 May 25 16:39 UTC | HN request time: 1.452s | source | bottom
Show context
nixpulvis ◴[12 May 25 17:50 UTC] No.43965715[source]
People need to be forced to think twice before taking in such sensitive information as a passport or even just addresses. This sort of thing cannot be allowed to be brushed off as just a bunch of kids making an app.
replies(5): >>43965749 #>>43966078 #>>43966320 #>>43966383 #>>43968604 #
1. jonny_eh ◴[12 May 25 18:25 UTC] No.43966078[source]
There should to be some kind of government operated identity confirmation service that is secure/private.

Or by someone "government-like" such as Apple or Google.

replies(4): >>43966153 #>>43966160 #>>43967625 #>>43969390 #
2. clifflocked ◴[12 May 25 18:33 UTC] No.43966153[source]
OAuth exists and can be used to confirm someone's identity by linking their Google account.
replies(3): >>43966180 #>>43966304 #>>43966328 #
3. behringer ◴[12 May 25 18:34 UTC] No.43966160[source]
when I worked for the government, within 2 months they had leaked all of my data to the black market.

Governments should not be confirming shit.

replies(1): >>43966794 #
4. nixpulvis ◴[12 May 25 18:36 UTC] No.43966180[source]
To be fair, I wouldn't want my google account linked to my dating profile. Aggregating services has risks too.
replies(1): >>43966203 #
5. knicholes ◴[12 May 25 18:38 UTC] No.43966203{3}[source]
Maybe secondary google account.
replies(1): >>43969394 #
6. smt88 ◴[12 May 25 18:49 UTC] No.43966304[source]
A Google account does nothing to prove identity
7. kelnos ◴[12 May 25 18:52 UTC] No.43966328[source]
Linking a Google account doesn't confirm your identity, though. It just confirms that you created a Google account with a particular name.
8. pixl97 ◴[12 May 25 19:45 UTC] No.43966794[source]
The government already has all your data so I'm not sure who you think should be confirming identity.
replies(1): >>43967532 #
9. behringer ◴[12 May 25 21:15 UTC] No.43967532{3}[source]
and my point is that they leak it. So it's hardly useful to have them both house and confirm the data when they can't house it properly.

They'll be confirming data that is publicly available.

replies(1): >>43967610 #
10. jonny_eh ◴[12 May 25 21:26 UTC] No.43967610{4}[source]
But what additional data are you worried about them having?
replies(1): >>43998986 #
11. steeeeeve ◴[12 May 25 21:28 UTC] No.43967625[source]
Government is the worst possible solution to every problem.

(not an attack on you. I have to say that every time I see someone say anything along the lines of "the government should do it")

replies(1): >>43968361 #
12. GuinansEyebrows ◴[12 May 25 23:20 UTC] No.43968361[source]
Government is made the worst possible solution thanks to lobbying and lawyers. It doesn't have to be this way.
13. nixpulvis ◴[13 May 25 03:16 UTC] No.43969390[source]
I would rather see an FDPA (Federal Data Protection Administration) which goes after people who get this stuff wrong.
14. nixpulvis ◴[13 May 25 03:18 UTC] No.43969394{4}[source]
Yea, but then what I have to upload my passport through a service linked to that secondary. It's not really tenable.
15. behringer ◴[15 May 25 20:28 UTC] No.43998986{5}[source]
If a private company can't do it. You can bet double or nothing that the government can't do it:

https://news.ycombinator.com/item?id=43996307