@lasserafn chrome extension could mitm sites using access URLs via webRequest API and then the only way to get the cookies yourself is to use Wireshark or Charles w/ trusted self signed cert, but yeah not 100% solution. The 100% solution is probably a proxy, which has other issues (streaming netflix through a proxy is bad)
Report
@lasserafn@yefim That's right - it is an easy to use tool but you cannot call it secure. Also if the web app you login allows this it is a high chance that it is open to cross site scripting and csrf attacks. Still good job! Looks like you turn a trivial hacking method to something enjoyable, at least for some folks ;)
Report
@fuater@lasserafn@yefim as long as we send it to non-techies I wouldn't see it as a big problem . A really cool idea!
Report
This is a good idea but should work P2P and not hosted on your website. you're making yourself a goldmine of accounts for hackers. I think there are better ways to implement it without going through your server.
@danr_4 I'd love to find a way to make it work P2P. Fortunately, all session cookies are encrypted before reaching the server and the server never gets sent the password (not even in the logs). That means if someone did manage to get access to the database, all they'd get is a bunch of encrypted data without a way to use it. It also doesn't keep emails or any other personally identifiable information. It'd be really hard for a hacker to do anything at all with the data (or me, even)
Report
@jarredsumner you're right. it's a good implementation, but still vulnerable to brute force attacks. I'd use a longer password (26+ chars) as it won't hurt the UX but it will immensely help against brute force attacks. But wait a second, how do you know which password is for which cookie when the only data you are passing (through the url) is the password? You can also use WebRTC to send text messages, and instead of the password being an encryption key, it could be a user identifier, and your servers sends the users details to each of the peers to create the WebRTC connections.
@danr_4 yeah I may increase the length of the password later.
It passes an ID of the session too -- and that is what gets read in from the server to know which encrypted cookie the client should receive. That ID is just a random string though (not the password)
Another thing is that these are session cookies, which often expire -- and the access URLs by default expire too. These things make it additionally more challenging from a security perspective for an attacker to make any use of this
@danr_4 webrtc is a good idea
The challenge there if I remember correctly how it works, is that then both browsers have to keep the page open for the other user to get access. That's a worse UX :(
Report
@jarredsumner yeah but you just need to open a connection to pass the cookie as a (possibly encrypted) text message, then you can close it. so your extension launches a local web page (or even embedded in the extension window itself), you enter the user identifier, wait for a connection from the initiator, pass the cookie, and there you have it.
Just a suggestion. But this is really great, I often find myself in a situation where I need to give someone access to a sensitive site for a short time. Will use this.
EDIT: saw it takes a screenshot of the page I'm sharing. that's a bit creepy. I don't see me using it without an option to NOT take screenshots. instead there could at least be an option to have your server screenshot the homepage instead of capturing the page I'm on.
Report
v. elegant solution & solid product history under @jarredsumner's belt
give this man lots of twitter follows+money
@jarredsumner did you ever meet that other thiel fellow 'kid' who was working on next-gen holograph/hologram stuff? i helped judge some thiel event in SF and it seemed likely he would get swept up by In-Q-Tel (💰💰💰)
@codeslayer1 I want to do that but I built this in 1.5 days so I didn't really have the time to add that in yet. I made it so the Access URLs themselves expire by default within a week though.
Valentine Roulette
Covy
Covy
Covy
Covy
Covy
Covy
Covy
Covy
Api to bot
Covy
Cursor
Covy
Relcy
Covy
PokeSocial
Covy
PokeSocial
Covy