[jjeaff]

Perhaps you could hash the session id, with a secret salt on server side. Then you could discard the original and store and pass along the hashed session id. That way, anyone you send it to would not be able to impersonate the hn user. You could also hash with a different salt before sending to a 3rd party so that they would not be able to impersonate someone's account in your extension.

[unamashana]

Just to be clear, we simply validate your session by requesting the page with your cookie and seeing if we get a logged in page. We never send your info to any third party.

[pvg]

For the purposes of authenticated interactions between HN and the user, you are the third party who now has full access to the user's account. App/extension stores generally take a dim view of/outright prohibit this because of its high abuse potential.

[linkdd]

You can claim whatever you want to claim, we unfortunately have no way to ensure that this is true.

This is a security hazard, period.

While the feature is nice, and I like the design of the notification dropdown, this is a risk I (and probably many) won't take.

[jjeaff]

I see. That makes more sense. I understood from another post that you were also passing it along to another service.