My mom uses this certain website to send out birthday cards to her grandkids. She writes a silly poem, puts in a bunch of pictures, the site prints it up and mails it. Nice card. Cheaper than Hallmark. All that to say that this is a sophisticated and pretty well designed web site; they have developers who know their stuff.
Today, she wanted to show someone a card she was working on. So she clicks the share button on her iPad. She doesn't know this is a Safari thing and not a website thing. Safari texts her friend a url. Basically this:
https://app.---redacted---.com/not-a-real-url?access_token=blahblahblah-youknowwhatitlookslike
They get her text message, click it and, bam 🤯, complete and total access to her entire account. Want to send a card? Sure! Send a thousand cards? Why not. Change her email and password? Go right ahead. We won't even email you to tell you we did any of that stuff!
She finally asks me for help and I have her her log out, change her password. Nothing expires the access token. No idea when (or if!) the token is set to expire. No person support until Monday.
Luckily, she didn't post the link to Facebook, only texted it to a friend she trusts.
Look, I'm mostly a front-end designer. Small time stuff, TBH. I leave authentication to people and services who know what they're doing. But I'm not wrong here, am I? This isn't something everyone does and it only seems like a bad idea to me?
What do you even do when you see this kind of thing?
Top comments (0)