Story 2014-03-10 3FD How Not to Write an API

How Not to Write an API

in code on (#3FD)
While creating an Android App for Criticker, a movie review and recommendation website, this author found some interesting security holes in their API.

Who knew that a LookupPassword function that returned any user's password in plain-text would be a bad idea?
Reply 9 comments

Deeper problem (Score: 5, Insightful)

by on 2014-03-10 15:06 (#CG)

It is not just a bad idea to return a password through an API; a properly designed application wouldn't even be able to offer such an API call because it would store password hashes instead of actual passwords.

Re: Deeper problem (Score: 5, Informative)

by on 2014-03-10 15:08 (#CJ)

And don't forget to salt them too! Lots of people always seem to forget the salt.

Re: Deeper problem (Score: 1)

by on 2014-03-10 15:17 (#CN)

I only forget the salt when cooking, but when cooking, you can usually add the salt later with no negative impact to food safety and security.

Re: Deeper problem (Score: 2, Funny)

by on 2014-03-10 21:35 (#DJ)

'Salted hash' sounds like a delicious snack. Nom.

Re: Deeper problem (Score: 4, Interesting)

by on 2014-03-10 15:08 (#CK)

Hmmm... I'm able to moderate my own posts.

Re: Deeper problem (Score: 1)

by on 2014-03-10 17:37 (#D0)

Pipedot must have grown so sofisticated even the trolls downmod their own posts!

Re: Deeper problem (Score: 1)

by on 2014-03-10 20:46 (#DB)

I think, thus far, the trig CAPTCHA on the sign-up form may have averted the first round. Now, if I could only find some wood to knock on...

Re: Deeper problem (Score: 2, Funny)

by on 2014-03-10 20:56 (#DD)

Naw, even if you get it wrong it lets you continue to register.
(signed: Doesn't double check his answers....)

You have to wonder why.... (Score: 2, Interesting)

by on 2014-03-10 16:32 (#CV)

Some idiot developer needed that function, and didn't think it was a problem because it required a dev api key. He also ignored the fact that they were storing passwords in plain text. Well, I'll double check any api we ever create for something as stupid, though I'm not sure anyone whos ever worked with me was that dumb. And that's saying something.

First PipeDot post!