Comment by toddmorey
6 days ago
"The vulnerability we discovered was remarkably simple to exploit - by providing only a non-secret app_id value to undocumented registration and email verification endpoints." So you could sign yourself up as editor / collaborator on any app once you knew the app's ID.
Jeez, that's sloppy. My colleague in 2000 discovered you could browse any account on his bank's website by just changing the (sequential!) account IDs in the URL. In a lot of ways we've made great strides in security over the last 25 years... and in many ways, we haven't.
Prepare for a whole new era of step backs when everyone is a “prompt engineer”.
How nice to know they will be implementing the mandatory age verification systems for this new generation of the internet!
At least they're costly mistakes that a new generation of decision makers will hopefully learn from.
20 years ago the school class enrollment website allowed just that by changing account IDs in URL, we were bypassing the priority enrollment. I had fun adding my friends and I to classes we wanted.
I took a slightly different approach and simply wrote a script that checked availability every minute, and then sent me a text message alert when a seat opened up.
(Upperclassmen often switched their schedules around after the priority enrollment deadline ended)
Not as bullet proof as your approach!
Incredible, my university class reg system had un-sanitized input for the class search field so if you knew the SQL you could find exactly how full a class was and dump the whole table of classes without needing to wait for your reg to open.
And pretty sure you could insert your student ID into the class that way too :)
Heck you could probably just kick people out of the class that you didn't want to take it with.
That’s useful. But 30 years ago you could iterate Social Security Numbers.
I reported a security vulnerability yesterday, which amounts to a admin=true cookie bypass.
Have we really made "progress" ? Even in 2000 I doubt people were allowed to walk into a bank and look at everyone's account details.
Well we have because that vulnerability in websites is formally recognized in OWASP and has been fairly well eradicated since then.
...How long did it take a transfer to settle in the 2000s
Well…
cash was and is still instant.
When doing large enough transactions that makes cash cumbersome, the slowness is a feature not a bug. We would want multiple reviews and time before it settled.
The value of $100 bill was much higher in 2000 and in 1969 when it became the highest denomination in circulation, so you could transact much higher value with a “wad of cash” than today.
Before 1969 we had bills up to $10,000 for a reason, they served like a credit note/T-Bill from the government, they were no longer needed after banking became robust enough for Cheques/P-Notes etc to replace them.
Paper Cash or Gold/silver coins before them are well understood solved problems, with thousands of years of experiments on size, security ,seigniorage and so on.
Wires have been fast, during banking hours, for a long time. Expensive, though.