Story 2014-03-10 3FD How Not to Write an API

How Not to Write an API

by
in code on (#3FD)
While creating an Android App for Criticker, a movie review and recommendation website, this author found some interesting security holes in their API.

Who knew that a LookupPassword function that returned any user's password in plain-text would be a bad idea?
Reply 9 comments

Deeper problem (Score: 5, Insightful)

by mth@pipedot.org on 2014-03-10 15:06 (#CG)

It is not just a bad idea to return a password through an API; a properly designed application wouldn't even be able to offer such an API call because it would store password hashes instead of actual passwords.

Re: Deeper problem (Score: 5, Informative)

by bryan@pipedot.org on 2014-03-10 15:08 (#CJ)

And don't forget to salt them too! Lots of people always seem to forget the salt.

Re: Deeper problem (Score: 1)

by insulatedkiwi@pipedot.org on 2014-03-10 15:17 (#CN)

I only forget the salt when cooking, but when cooking, you can usually add the salt later with no negative impact to food safety and security.

Re: Deeper problem (Score: 2, Funny)

by hex@pipedot.org on 2014-03-10 21:35 (#DJ)

'Salted hash' sounds like a delicious snack. Nom.

Re: Deeper problem (Score: 4, Interesting)

by mth@pipedot.org on 2014-03-10 15:08 (#CK)

Hmmm... I'm able to moderate my own posts.

Re: Deeper problem (Score: 1)

by computermachine@pipedot.org on 2014-03-10 17:37 (#D0)

Pipedot must have grown so sofisticated even the trolls downmod their own posts!

Re: Deeper problem (Score: 1)

by bryan@pipedot.org on 2014-03-10 20:46 (#DB)

I think, thus far, the trig CAPTCHA on the sign-up form may have averted the first round. Now, if I could only find some wood to knock on...

Re: Deeper problem (Score: 2, Funny)

by pslytelypsycho@pipedot.org on 2014-03-10 20:56 (#DD)

Naw, even if you get it wrong it lets you continue to register.
(signed: Doesn't double check his answers....)

You have to wonder why.... (Score: 2, Interesting)

by billshooterofbul@pipedot.org on 2014-03-10 16:32 (#CV)

Some idiot developer needed that function, and didn't think it was a problem because it required a dev api key. He also ignored the fact that they were storing passwords in plain text. Well, I'll double check any api we ever create for something as stupid, though I'm not sure anyone whos ever worked with me was that dumb. And that's saying something.

First PipeDot post!