Hacker News new | past | comments | ask | show | jobs | submit login

The only thing is, if you don't wait until the user starts entering the password, the attacker can theoretically scrape the page with your username and find out the per-user image.



You don't get the image based on the username, the image is stored as a cookie, so it's showing you that the Yahoo you logged in to this time is the one that new your cookie details before. Even if an attack-site can read your cookie they don't know which image to pair it with (though maybe it can be taken from a local cache somehow?). The image is a per-device (or per browser?) security indication.

Details - https://protect.login.yahoo.com/login/set_pref?faq=1#faq2, it's called "yahoo sign-in seal".


Oh! Well that's a smart idea... that's kind of like showing you your private "profile picture" when you are logged in.

But if you have a session cookie, then you hardly need a password. Unless we are talking about a public computer where you need to enter your password.

I am talking about the times when you DON'T have a session cookie, and you are prompted to sign in with a password. That's the thing that could be spoofed.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: