Comment by placardloop

Comment by placardloop 4 days ago

2 replies

View on Hacker News

If a security mechanism doesn’t account for failure cases, it’s a failure of the security mechanism.

It’s a hard problem to solve and I don’t have a solution, but it’s a core goal of every security tool to account for edge cases and failure cases like this. If you tell me that OAuth is completely insecure due to a security issue, it’s not going to make me feel any better if you say “but it’s totally not OAuths fault” - I don’t care who’s fault or scope it is, the end result of a security issue is the same, and to avoid it I’m just not going to use OAuth.

horsawlarway 4 days ago

So you use email/pass and the reset password email dumps right to the new party as well, because they control the MX records for the domain?

Reply View 1 reply
  • lxgr 4 days ago

    That's why allowing account recovery using (exclusively) email is indeed a security problem.

    Reply View 0 replies