Hacker News new | past | comments | ask | show | jobs | submit login

>"Nonetheless, online brute force would still be manageable. If each page view produces an average of 50 candidates, and one in every thousand page views is a login (this might be slightly optimistic), that's 50,000 attempts necessary in order to find a working login. HN gets about 500,000 hits on a busy day, so this could be done in a day or two while likely staying under the radar."

You would have a fnid that is in the cookie hash table, yet you still would not know to which username it is mapped to, correct?




I was looking for login cookies, not fnids. Fnids are worthless since there's already code that checks that the user who called the closure is the same as the user for whom it was created.


My mistake. So you can get a valid login, but you can't know whom you'll be login in as, that is without doing some social engineering like with the irc example. Impressive hack.


i think if you get a valid login cookie, and use it, it will tell you what account you have in the top right.


Well obviously, but you couldn't do a brute force attack like this to a specific account.


I believe the implication is that you'd have a sessionid. Effectively, the username and password rolled into one unique number, stored in the cookie.


I think by 'specific account' he means 'chosen account', in which case he'd be correct without more targeted social engineering.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: