Comment by herczegzsolt

Comment by herczegzsolt 4 days ago

View on Hacker News

In my opponion, all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

It indicates a deeper cultural issue of "convenience/profit over security" if those are sufficient reasons to not check the sub parameter.

chavesn 4 days ago

> all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

Just curious, what would that check look like that's not open to the same vuln?

Reply View 4 replies

herczegzsolt 4 days ago

For example a call to the registered owner or contact person of the organizaton (not the user).
Any out-of-band communication should work which checks for the legal entity, not just something that eventually relies on DNS.
Alternatively, you can always just not let them access the old user, and create a new one instead.

Reply View | 0 replies
ycombinatrix 4 days ago

"Your account seems to have changed hands and is locked for your security.
The person paying for your subscription must contact us to verify your account is still legit."

Reply View | 2 replies
- chavesn 4 days ago
  
  Right, and how would you further verify “the person paying for your subscription”?
  
  Reply View | 1 reply
  
  ycombinatrix 4 days ago
  
  Payment info
  
  Reply View | 0 replies