|
|
|
|
|
|
by mlthoughts2018
2208 days ago
|
|
|
How does that answer the question? So what if you can replay logs of all attempts? How can you prove for any specific log that it was the “real” user making the request, and not someone using their email maliciously to make an identical request? |
|
|
Without really smart and well-considered limitations and logging, it's impossible to tell the User from the User* without digging through audit trails, etc.. and if the developers/architects involved didn't consider the limitations and logging in the first place, odds are they didn't consider the audit trails either.
And yes, I do this for a living.. and have seen bad things from major organizations. :(