Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Ones I've used, as long as you've configured a way to resolve the user, it pops right up in the service side of the chat system.

Be scared of those. They typically use client side JavaScript to read a cookie to know which username is active.

There is usually no verification of that info, so obviously it could be faked by a malicious client.

The docs say that, but it's way too easy to just trust the info rather than setup a properly secure solution.



I could see that being really bad... A 'social engineer' could talk support people into helping them hijack an account.


I would love to watch the inevitable presentation we'll be seeing at some security convention within the next few years.


This is a good point. You can definitely verify a user off of context (signed tokens, etc.), but you're probably right that a lot of folks don't do a great job of that!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: