Hacker News new | ask | show | jobs
by notwhoyouthink 3487 days ago
From a quick glance, this seems woefully insecure. Incrementing "user" by 1 yields (what I assume to be) someone else's export.

If you have any private snippets you would like to keep private, using this exporter would be a bad idea.

If you're the developer of this utility, my recommendation would be to generate a 1-time download link for the snippets instead of hosting them online without any authentication.
1 comments
wglb 3487 days ago
> If you have any private snippets you would like to keep private, using this exporter would be a bad idea.

Well if they are private, and someone else figures this out, it doesn't matter whether or not you use the exporter, no?

link
notwhoyouthink 3487 days ago
What I mean is that the exporter linked to by modinfo optionally allows you to input your Snipt API keys to export your private snippets in addition to your public ones.

It appears that once this process is done by the exporter, both your public and private snippets are hosted on the exporters server and accessible without any authentication.

For example, this is an export from the exporter: http://fotis.co/snipt/export.php?user=3760&limit=100

Increment ?user=3760 by 1 and you are greeted with someone else's export.

link