undefined | Better HN

0 pointsjeroenhd2d ago0 comments

The pattern described is a common Discord account theft method and it has proven very effective at locking people out of their accounts.

0 comments

grassfedgeek2d ago

The example requires immediate action. If the hacker beats you he can lock you out by taking over the account, it doesn't matter if it is JWT or some other tech.

nathanmills2d ago

Why would it require immediate action? Most chat services have a rate limit, stopping them at ANY point prevents it from spreading further. The messages don't get all sent at once, they will use the full access period to send as much as they can. Accounts can't typically be taken over with just a cookie, changing passwords normally requires you to confirm your current one. I hope you haven't designed any services where a cookie is enough to lock people out.

j / k navigate · click thread line to collapse

0 comments

grassfedgeek2d ago

The example requires immediate action. If the hacker beats you he can lock you out by taking over the account, it doesn't matter if it is JWT or some other tech.

nathanmills2d ago

j / k navigate · click thread line to collapse