|
|
|
|
|
|
by citricsquid
4478 days ago
|
|
|
I think saying that he "warned them" is a bit dishonest. He said the following as a side note 4 years ago: I've just checked and you can obtain the password through an API call
after you register a new API user.
They designed this functionality so they clearly knew it was possible, what he didn't do was explain the impact (take public key from app -> request user password) and if he hasn't notified them since that post it's entirely possible that they never had a reason to reconsider that (awful) decision. That post 4 years ago can't really be considered "responsible disclosure". |
|
|