Hacker News new | ask | show | jobs
by matthewmacleod 4481 days ago
However, the API key for any app can be discovered with zero effort, because it's included in each request. So you can retrieve the plaintext passwords for any user who has signed up with any app using the API.

Whoever created this monstrosity should be ashamed of themselves.
1 comments
rmc 4481 days ago
To reiterate: Any user of an app can look at the passwords of any user created with that app.
link