← Back to context

Comment by placardloop

4 days ago

If a security mechanism doesn’t account for failure cases, it’s a failure of the security mechanism.

It’s a hard problem to solve and I don’t have a solution, but it’s a core goal of every security tool to account for edge cases and failure cases like this. If you tell me that OAuth is completely insecure due to a security issue, it’s not going to make me feel any better if you say “but it’s totally not OAuths fault” - I don’t care who’s fault or scope it is, the end result of a security issue is the same, and to avoid it I’m just not going to use OAuth.

2 comments

placardloop

Reply
horsawlarway  4 days ago

So you use email/pass and the reset password email dumps right to the new party as well, because they control the MX records for the domain?

  • lxgr  4 days ago

    That's why allowing account recovery using (exclusively) email is indeed a security problem.