|
|
|
|
|
|
by krackout
1361 days ago
|
|
|
Thank you for the answer, I didn't know about these Capability URLs. It's kind of security by obscurity I think. Still, if somehow somebody else gains access to a Capability URL, it cannot be considered an unlawful act. He could even claim that he was lucky enough to type a URL, which by coincidence gave him access to somebody else's personal data. |
|
|
I get that it looks insecure, but it is extremely unlikely to hit the correct value. Here some more info:
https://en.wikipedia.org/w/index.php?title=Universally_uniqu...
This is for a 128(122) bit UUID, some capability URL use other and longer values. Depends on the implementation details and if someone catches your mail, the URL is exposed. There are some security concerns because URLs are usually not treated as a secret and are saved by your browser for example where it could by exposed to other parties.
But overall the mechanism is still a valid way to provide access to restricted resources without the user needing an account or login. This can happen for business because people generally don't want to register for every service. You could use a third party authentication provider, but can come with its own problems.