Hacker News new | ask | show | jobs
by mmmooo 4848 days ago
you are basing your 'token' on md5(data+secret), however md5 (and other hash functions) are easily extended when data and token are known, even without knowing secret. Basically, given data and token, I can produce a different token, that matches a (somewhat) different data, without knowing secret.
1 comments
dherken 4848 days ago
Sure you could, but then why would one go through all the hassle just to get a (probably already cached) screenshot?
link
mmmooo 4848 days ago
well, for starters, I could use your (paid) account to get free screenshots.
link
bpatrianakos 4848 days ago
But if you knew how to do that then you could probably set up webkit2png in a tenth of the time.
link
mmmooo 4848 days ago
True, but what you are saying is only complex applications need to be secure?
link