|
|
|
|
|
|
by rzimmerman
1081 days ago
|
|
|
Summary from what I read: Any user can query pretty much any table in the DB using their "GQL" wrapper around SQL. Someone thought enough to restrict the "user_password" field, so instead you query another table which gives you the user's session ID. Normally a token is user session ID + signature. But it turns out the signature wasn't really being validated, so user session ID + anything worked. I'm normally not one to jump on mistakes, but that's remarkably bad. |
|
|