Hacker News new | past | comments | ask | show | jobs | submit login

I was looking for login cookies, not fnids. Fnids are worthless since there's already code that checks that the user who called the closure is the same as the user for whom it was created.



My mistake. So you can get a valid login, but you can't know whom you'll be login in as, that is without doing some social engineering like with the irc example. Impressive hack.


i think if you get a valid login cookie, and use it, it will tell you what account you have in the top right.


Well obviously, but you couldn't do a brute force attack like this to a specific account.


I believe the implication is that you'd have a sessionid. Effectively, the username and password rolled into one unique number, stored in the cookie.


I think by 'specific account' he means 'chosen account', in which case he'd be correct without more targeted social engineering.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: