undefined | Better HN

0 pointsmatthewmacleod12y ago0 comments

However, the API key for any app can be discovered with zero effort, because it's included in each request. So you can retrieve the plaintext passwords for any user who has signed up with any app using the API.

Whoever created this monstrosity should be ashamed of themselves.

0 comments

rmc12y ago

To reiterate: Any user of an app can look at the passwords of any user created with that app.

j / k navigate · click thread line to collapse

0 pointsmatthewmacleod12y ago0 comments

However, the API key for any app can be discovered with zero effort, because it's included in each request. So you can retrieve the plaintext passwords for any user who has signed up with any app using the API.

Whoever created this monstrosity should be ashamed of themselves.

0 comments

rmc12y ago

To reiterate: Any user of an app can look at the passwords of any user created with that app.

j / k navigate · click thread line to collapse