(alexschapiro.com)

560 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0s | source

Show context

blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]▶

>>43964937 (OP) #

Returning the OTP in the request API response is wild. Like why?

replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #

mooreds ◴[12 May 25 17:29 UTC] No.43965452[source]▶

>>43965416 #

I too am bewildered.

Maybe to make it easier to build the form accepting the OTP? Oversight?

I can't think of any other reasons.

replies(3): >>43965701 #>>43965737 #>>43966261 #

Alex-Programs ◴[12 May 25 18:45 UTC] No.43966261[source]▶

>>43965452 #

I assume that whoever wrote it just has absolutely no mental model of security, has never been on the attacking side or realised that clients can't be trusted, and only implemented the OTP authentication because they were "going through the motions" that they'd seen other people implement.

replies(2): >>43966624 #>>43966880 #

1. ceejayoz ◴[12 May 25 19:22 UTC] No.43966624[source]▶

>>43966261 #

https://en.wikipedia.org/wiki/Cargo_cult

↑

I hacked a dating app (and how not to treat a security researcher)