←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.203s | source
Show context
blantonl ◴[12 May 25 17:26 UTC] No.43965416[source]
Returning the OTP in the request API response is wild. Like why?
replies(6): >>43965452 #>>43965527 #>>43965664 #>>43965678 #>>43965989 #>>43967689 #
MBCook ◴[12 May 25 18:16 UTC] No.43965989[source]
So the UI can check if what they enter is correct.

It’s very sensible and an obvious solution if you don’t think about the security of it.

A dating app is one of the most dangerous kinds of app to make due to all the necessary PII. this is horrible.

replies(3): >>43966056 #>>43966068 #>>43966759 #
1. benmmurphy ◴[12 May 25 19:39 UTC] No.43966759[source]
I’ve seen banks where the OTP code is generated on the client and then sent to the server.