Hacker News new | past | comments | ask | show | jobs | submit login

Using clickjacking we can get lots of valid tokens, no need to solve challenges.



You don't think Google will figure something out when a bunch of tokens from different IP addresses are all being used by one IP?


It can be helpful. There's (optional!) remoteip parameter server can use to send google IP address of current user. As in wordpress demo sometimes we can send requests with the browser.


And additionally it’s easy to just create empty Google accounts and then use them with the bots. Just create a few dozen accounts, use them with a few hundred bots, and you easily get full verification.


It it naive to think that attackers have only one IP at their disposal.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: