Hacker News new | ask | show | jobs
by herczegzsolt 514 days ago
In my opponion, all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

It indicates a deeper cultural issue of "convenience/profit over security" if those are sufficient reasons to not check the sub parameter.
1 comments
chavesn 514 days ago
> all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

Just curious, what would that check look like that's not open to the same vuln?

link
herczegzsolt 513 days ago
For example a call to the registered owner or contact person of the organizaton (not the user).

Any out-of-band communication should work which checks for the legal entity, not just something that eventually relies on DNS.

Alternatively, you can always just not let them access the old user, and create a new one instead.

link
ycombinatrix 514 days ago
"Your account seems to have changed hands and is locked for your security.

The person paying for your subscription must contact us to verify your account is still legit."

link
chavesn 514 days ago
Right, and how would you further verify “the person paying for your subscription”?
link
ycombinatrix 514 days ago
Payment info
link