Share access to accounts without sending a username/password

Chrome ExtensionGolden Kitty 2016
Around the web


 +1 review


You need to become a Contributor to join the discussion - Find out how.
Yefim VedernikoffHiring@yefim · Full Stack Engineer, RaiseMe
Finally a useful Chrome extension! ;) Missing one small feature:
Jarred SumnerMaker@jarredsumner
@yefim I should build that!!
Lasse Rafn@lasserafn · Developer and creator
@yefim this is likely to be impossible (at least 100%) sure the link can expire but nothing prevents the receiver from saving the cookies for later :/
Jarred SumnerMaker@jarredsumner
@lasserafn chrome extension could mitm sites using access URLs via webRequest API and then the only way to get the cookies yourself is to use Wireshark or Charles w/ trusted self signed cert, but yeah not 100% solution. The 100% solution is probably a proxy, which has other issues (streaming netflix through a proxy is bad)
@lasserafn @yefim That's right - it is an easy to use tool but you cannot call it secure. Also if the web app you login allows this it is a high chance that it is open to cross site scripting and csrf attacks. Still good job! Looks like you turn a trivial hacking method to something enjoyable, at least for some folks ;)
Ferit T.@fokusman · Frontend Techie
@fuater @lasserafn @yefim as long as we send it to non-techies I wouldn't see it as a big problem . A really cool idea!
Ben Tossell@bentossell · newCo
This is pretty sweeeeet
Jarred SumnerMaker@jarredsumner
@bentossell Thanks!
Ben Tossell@bentossell · newCo
@jarredsumner Can you tell us about how it works technically?
Jarred SumnerMaker@jarredsumner
@bentossell Sure! Websites use cookies to keep you logged in across pages. This just takes the cookies used by the current domain, generates a random password, encrypts those cookies with that random password, and then sends the encrypted cookies without the password off to the server. Then, when another user goes to your access URL, the chrome extension takes the password from the URL (which is what shows up in the #), it decrypts the cookies, and then adds them to Chrome's cookie jar. It'd be way easier honestly to just store all the cookies on the server without this encryption, but a product like this is dangerous without a lot of thought put into security. It's worth the extra effort on my part to do right by users.
Ben Tossell@bentossell · newCo
@jarredsumner yeah definitely and I think lots of people will appreciate that. I was asking because of the cookies and security concerns to be honest. Thanks!
oty@otymix · @oneTapVote | working on smthg new 🤐
@jarredsumner @bentossell Very intresting tool ! im just shocked being conscious of the value of our cookies, and the fact it can be used for Login case .. thanks for your clear explanation !
v. elegant solution & solid product history under @jarredsumner's belt give this man lots of twitter follows+money
Jarred SumnerMaker@jarredsumner
@davidryalpug 💰💰💰
@jarredsumner did you ever meet that other thiel fellow 'kid' who was working on next-gen holograph/hologram stuff? i helped judge some thiel event in SF and it seemed likely he would get swept up by In-Q-Tel (💰💰💰)
Yan Lhert@yanismydj · CTO Zen99
@davidryalpug @jarredsumner is the man! +1+1+1
Hunter Owens@owens · PM at TVF
Oooh, this is awesome
Jarred SumnerMaker@jarredsumner
@owens Thanks Hunter!
Jack Smith@_jacksmith · Serial Entrepreneur & Startup Adviser
looks like a great idea, built on some solid technology
Jarred SumnerMaker@jarredsumner
@_jacksmith Thanks Jack!