Hacker News new | past | comments | ask | show | jobs | submit login

One thing to add, if I may - It's super-stupid but super-common and maybe not 100% applicable here ?

If you have invoices,accounts or statement pages/API's.

Please make sure ONLY the real user or admin can see the data.

Example:

  myfintech.co/accounts/?invoice=123

  myfintech.co/accounts/statement/?user=456

I've seen this COUNTLESS of times with big and small companies. It's my favorite thing to do when signing up for a new service. See if I can wiggle-waggle the account-statements.

Like I said, it's a really simple thing, and maybe most of HN readers are "above these sort of errors", but I see a few times a year, with just the services I use.

Also a good little tip(again might be preaching to the wrong crowd) is to use some form of non-deterministic ID-schemes for accounts,statements and of course user-ids.

UUID's are great for this, If for some reason you do have a gap in you system and your id's are deterministic, the bad-actor can just enumerate ALL accounts and users.

Sorry if I'm insulting the "average HN reader" with this "simple and obvious mistakes", but I like I said, I see this A LOT. YMMV




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: