b3ta.com qotw
You are not logged in. Login or Signup
Home » Question of the Week » Off Topic » Post 1443383 | Search
This is a question Off Topic

Are you a QOTWer? Do you want to start a thread that isn't a direct answer to the current QOTW? Then this place, gentle poster, is your friend.

(I helped save b3ta! rob, Sun 1 Apr 2001, 1:00)
Pages: Latest, 836, 835, 834, 833, 832, ... 1

« Go Back | See The Full Thread

You know the TFL Oyster website? RIDICULOUSLY INSECURE.

(I helped save b3ta! G/PP 💩💩💩💩💩&#128, Wed 23 Nov 2011, 14:18, 1 reply, 14 years ago)
Why for so?

(I helped save b3ta! sporters I’m sincerely gratitude to you, Wed 23 Nov 2011, 14:18, Reply)
You just need a username and someone's postcode to reset someone's password, you don't even need access to their email.
Getting someone's postcode, as in, a real person you know, is really easy. Getting someone's username generally matches up at some point with all their social networks/logins, in fact, it's publicly given as standard.

If you actually knew someone, that information is easy. You can then reset their password, which would (or should) log them out of every site that uses to Oyster API. Granted, it'll be an annoyance rather than a way of getting any information, add that to the fact that their email address comes through as 'spam' according to GoogleMail (and probably other services too), it could really piss someone off.

If you do have access to someone's email, like an admin at work, the odds are you'll know their Postcode too. If that email is attached to their oyster card, then you can get full details. But I guess that's true of most logins.
(I helped save b3ta! G/PP 💩💩💩💩💩&#128, Wed 23 Nov 2011, 14:25, Reply)
If, as they planed to do this year, and probably will impliment by 2012, you'll be able to use that to make purchases too.

(I helped save b3ta! G/PP 💩💩💩💩💩&#128, Wed 23 Nov 2011, 14:26, Reply)
Gonz
if you know someone's username for fucking ANYTHING you can reset their password. It sends a new password to their email address.

a) How are you going to make that any more secure without then ending up with a system where someone who legitimately forgets their password then can't reset it and

b) Why on earth would you want to reset someone else's password? It's the most pointless thing to do for absolutely no gain at all.
(I helped save b3ta! the mighty badger Aphrodite, on a bar stool, by your side, Wed 23 Nov 2011, 14:33, Reply)
No, that's not true. It should send a link to their email address that they can click on and _then_ let them type in a password to reset that doesn't get sent to their email address.
Nobody without access should ever be able to change a single detail in a user's database. Nothing at all.
(I helped save b3ta! G/PP 💩💩💩💩💩&#128, Wed 23 Nov 2011, 14:40, Reply)
That link creates a hash that is only valid for a few hours at most and expires on first use.

(I helped save b3ta! G/PP 💩💩💩💩💩&#128, Wed 23 Nov 2011, 14:42, Reply)

« Go Back | See The Full Thread

Pages: Latest, 836, 835, 834, 833, 832, ... 1