AccessURL

Share access to accounts without sending a username/password

Chrome ExtensionGolden Kitty 2016
+3
Around the web

Reviews

95915
1168736
1220118
 +1 review

Discussion

You need to become a Contributor to join the discussion - Find out how.
3380
Yefim VedernikoffHiring@yefim · Full Stack Engineer, RaiseMe
Finally a useful Chrome extension! ;) Missing one small feature:
44366
Jarred SumnerMaker@jarredsumner
@yefim I should build that!!
1036295
Lasse Rafn@lasserafn · Developer and creator
@yefim this is likely to be impossible (at least 100%) sure the link can expire but nothing prevents the receiver from saving the cookies for later :/
44366
Jarred SumnerMaker@jarredsumner
@lasserafn chrome extension could mitm sites using access URLs via webRequest API and then the only way to get the cookies yourself is to use Wireshark or Charles w/ trusted self signed cert, but yeah not 100% solution. The 100% solution is probably a proxy, which has other issues (streaming netflix through a proxy is bad)
@lasserafn @yefim That's right - it is an easy to use tool but you cannot call it secure. Also if the web app you login allows this it is a high chance that it is open to cross site scripting and csrf attacks. Still good job! Looks like you turn a trivial hacking method to something enjoyable, at least for some folks ;)
83770
Ferit T.@fokusman · Frontend Techie
@fuater @lasserafn @yefim as long as we send it to non-techies I wouldn't see it as a big problem . A really cool idea!
72708
Ben Tossell@bentossell · newCo
This is pretty sweeeeet
44366
Jarred SumnerMaker@jarredsumner
@bentossell Thanks!
72708
Ben Tossell@bentossell · newCo
@jarredsumner Can you tell us about how it works technically?
44366
Jarred SumnerMaker@jarredsumner
@bentossell Sure! Websites use cookies to keep you logged in across pages. This just takes the cookies used by the current domain, generates a random password, encrypts those cookies with that random password, and then sends the encrypted cookies without the password off to the server. Then, when another user goes to your access URL, the chrome extension takes the password from the URL (which is what shows up in the #), it decrypts the cookies, and then adds them to Chrome's cookie jar. It'd be way easier honestly to just store all the cookies on the server without this encryption, but a product like this is dangerous without a lot of thought put into security. It's worth the extra effort on my part to do right by users.
72708
Ben Tossell@bentossell · newCo
@jarredsumner yeah definitely and I think lots of people will appreciate that. I was asking because of the cookies and security concerns to be honest. Thanks!
19242
oty@otymix · @oneTapVote | working on smthg new 🤐
@jarredsumner @bentossell Very intresting tool ! im just shocked being conscious of the value of our cookies, and the fact it can be used for Login case .. thanks for your clear explanation !
69172
David/Ryal/Pug@davidryalpug
v. elegant solution & solid product history under @jarredsumner's belt give this man lots of twitter follows+money
44366
Jarred SumnerMaker@jarredsumner
@davidryalpug 💰💰💰
69172
David/Ryal/Pug@davidryalpug
@jarredsumner did you ever meet that other thiel fellow 'kid' who was working on next-gen holograph/hologram stuff? i helped judge some thiel event in SF and it seemed likely he would get swept up by In-Q-Tel (💰💰💰)
43988
Yan Lhert@yanismydj · CTO Zen99
@davidryalpug @jarredsumner is the man! +1+1+1
151
Hunter Owens@owens · PM at TVF
Oooh, this is awesome
44366
Jarred SumnerMaker@jarredsumner
@owens Thanks Hunter!
962
Jack Smith@_jacksmith · Serial Entrepreneur & Startup Adviser
looks like a great idea, built on some solid technology
44366
Jarred SumnerMaker@jarredsumner
@_jacksmith Thanks Jack!