Hacker News new | ask | show | jobs
by sebmellen 2087 days ago
Uh... One part of it is not returning password reset tokens in the browser. If you know remotely anything about web security this is the most glaring security flaw you could ever encounter.

Other steps are nice to think about, but ensuring basic security measures would preempt 99% of data breaches and "hacks".
3 comments
brundolf 2087 days ago
The most appalling part is that this was a dedicated endpoint, named "password-reset". This wasn't some negligent leak, some misconfigured logger. It was done this way on purpose. Somebody thought this was a good idea. And nobody else saw it and thought to question it! It reveals gross institutional incompetence that probably should have been filtered out at the hiring stage.
link
ghostbrainalpha 2087 days ago
Could you explain why that's bad for someone who knows nothing about security?

Where should the password reset token be?

link
sebmellen 2087 days ago
The token should only be accessible to the user requesting the password reset, meaning that it would be sent via email (this is the standard password reset flow).

The flaw here is that anyone, even if they did not control the email of the user, could reset the password, because the reset token was returned in the browser, where anyone could see it. Essentially, just by knowing someone's email (not having control over it), you could reset their password.

link
ghostbrainalpha 2082 days ago
You did a really great job breaking that down! Thank you!
link
Jtsummers 2087 days ago
It should’ve been sent via email to the registered email address. That lets the account owner reject it (I didn’t request a password reset!) or use it.
link
dewey 2087 days ago
In an email sent to the address linked to the account.
link
perardi 2087 days ago
Yeah, in this particular case, they were just glaringly stupid.

Just gaming out ideas in my head. I have friends from rather more repressive countries, namely China, where being gay is still a grey area in terms of legality and acceptance, and I’m just thinking of better ways to structure a system.

link
thaumasiotes 2087 days ago
> rather more repressive countries, namely China, where being gay is still a grey area in terms of legality and acceptance

...what?

link