Hacker News new | ask | show | jobs
by bruce511 749 days ago
Of course. But I think the poster above was referring to just posting random keys to the server.

In other words I don't have your key, or any key, but I have "all of them".

The correct response to this though is that "there are lots of keys, and valid keys are sparse."

In other words the jumper of valid keys that could be invalidated in this way is massively smaller than the list of invalid keys. Think trillions of trillions to 1.
2 comments
ncallaway 749 days ago
Which, like, if posting random keys has any realistic plausibility of collision, malicious revoking of keys is the least of your concerns.

People could just hit important data fetch endpoints with random keys, until they find one that’s good, and then have a compromised account.

link
makeitdouble 749 days ago
Good point. Presented that way I am seeing more positives to their policies, in particular if a vulnerability was unearthed by the invalidation quirk it's a way better way to find out than any other way.
link
numpad0 749 days ago
It's wrong that clients are authenticated with just the random generated username. But it's also what everyone do.
link