AccessURL

Share access to accounts without sending a username/password

Featured

Discussion

most upvoted
Yefim Vedernikoff — Full Stack Engineer, Raise.me
Finally a useful Chrome extension! ;)

Missing one small feature:

M
@yefim I should build that!!
Lasse Rafn — Apricot
@yefim this is likely to be impossible (at least 100%) sure the link can expire but nothing prevents the receiver from saving the cookies for later :/
M
@lasserafn chrome extension could mitm sites using access URLs via webRequest API and then the only way to get the cookies yourself is to use Wireshark or Charles w/ trusted self signed cert, but yeah not 100% solution. The 100% solution is probably a proxy, which has other issues (streaming netflix through a proxy is bad)
@lasserafn @yefim That's right - it is an easy to use tool but you cannot call it secure. Also if the web app you login allows this it is a high chance that it is open to cross site scripting and csrf attacks. Still good job! Looks like you turn a trivial hacking method to something enjoyable, at least for some folks ;)
Ferit T. — Frontend Techie
@fuater @lasserafn @yefim as long as we send it to non-techies I wouldn't see it as a big problem . A really cool idea!
@jarredsumner the better is proxy with VPN, to be more secured?
Michael Mroz — Software Engineer, Atlassian
@fokusman @fuater @lasserafn @yefim That doesn't really sit well with me. This is security software. Any feature that obscures the degree to which you have control is not a feature that should be implemented, imo.
Austin Heap — Magical Unicorn
@mroz_io @fokusman @fuater @lasserafn @yefim This product creates a security vulnerability for users where one didn't previous exist. It seems absurdly irresponsible to market it without such a warning.
Ben Tossell — Community Lead, Product Hunt
This is pretty sweeeeet
Ben Tossell — Community Lead, Product Hunt
@jarredsumner Can you tell us about how it works technically?
M
@bentossell Sure!

Websites use cookies to keep you logged in across pages. This just takes the cookies used by the current domain, generates a random password, encrypts those cookies with that random password, and then sends the encrypted cookies without the password off to the server.

Then, when another user goes to your access URL, the chrome extension takes the password from the URL (which is what shows up in the #), it decrypts the cookies, and then adds them to Chrome's cookie jar.

It'd be way easier honestly to just store all the cookies on the server without this encryption, but a product like this is dangerous without a lot of thought put into security. It's worth the extra effort on my part to do right by users.
Ben Tossell — Community Lead, Product Hunt
@jarredsumner yeah definitely and I think lots of people will appreciate that. I was asking because of the cookies and security concerns to be honest. Thanks!
oty — @oneTapVote | working on smthg new 🤐
@jarredsumner @bentossell Very intresting tool ! im just shocked being conscious of the value of our cookies, and the fact it can be used for Login case .. thanks for your clear explanation !
M
@otymix you're welcome! Let me know if you have any questions or feedback on AccessURL
Mike Desjardins — Made https://www.remotelyawesomejobs.com
@jarredsumner that is damned clever. So it's kinda sorta like shared secure side-jacking but used for good.
Sergio Flores — Software Developer
@jarredsumner this is pretty cool.
sam hefnawy — Country Manager, Visionary Strategist
@jarredsumner @bentossell how to make sure the security is okay? what you may be able to do then?
Commenting is limited to those invited by others in the community.
Login to continue.