Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So the security risk requires someone to somehow get your ASP? Correct me if I'm wrong, but I believe you can only make a new ASP when you are already signed in and it disappears after you 'hide' it or leave the page. It kind of seems like if you can get a user's ASP, the account is probably already compromised.

It's nice that they are fixing a couple loopholes, but not sure if it will actually help any.



The main issue with this is the automatic login functionality. If a person has 2 factor enabled on their account, and any of their devices (phones, tablets, etc) are stolen, it becomes trivial to act without a password to steal the entire account. If they have a lock screen password, it becomes harder to attack, but any compromised device would likely give an attacker a few hours prior to a user noticing and killing its tokens.


The loop hole seems to require the plain text ASP though.


Presumably the ASP could be intercepted via MITM, when it's being passed to the application for which it was generated.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: