Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In my opponion, all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

It indicates a deeper cultural issue of "convenience/profit over security" if those are sufficient reasons to not check the sub parameter.



> all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

Just curious, what would that check look like that's not open to the same vuln?


For example a call to the registered owner or contact person of the organizaton (not the user).

Any out-of-band communication should work which checks for the legal entity, not just something that eventually relies on DNS.

Alternatively, you can always just not let them access the old user, and create a new one instead.


"Your account seems to have changed hands and is locked for your security.

The person paying for your subscription must contact us to verify your account is still legit."


Right, and how would you further verify “the person paying for your subscription”?


Payment info




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: