How Not to Write an API

by
in code on (#2VB)
While creating an Android App for Criticker, a movie review and recommendation website, this author found some interesting security holes in their API.

Who knew that a LookupPassword function that returned any user's password in plain-text would be a bad idea?

History


Deprecated: mb_convert_encoding(): Handling HTML entities via mbstring is deprecated; use htmlspecialchars, htmlentities, or mb_encode_numericentity/mb_decode_numericentity instead in /var/pipedot/include/diff.php on line 25

Deprecated: Creation of dynamic property FineDiff::$granularityStack is deprecated in /var/pipedot/lib/finediff/finediff.php on line 217

Deprecated: Creation of dynamic property FineDiff::$edits is deprecated in /var/pipedot/lib/finediff/finediff.php on line 218

Deprecated: Creation of dynamic property FineDiff::$from_text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 219

Deprecated: Creation of dynamic property FineDiff::$last_edit is deprecated in /var/pipedot/lib/finediff/finediff.php on line 372

Deprecated: Creation of dynamic property FineDiff::$stackpointer is deprecated in /var/pipedot/lib/finediff/finediff.php on line 373

Deprecated: Creation of dynamic property FineDiff::$from_offset is deprecated in /var/pipedot/lib/finediff/finediff.php on line 375

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155
2014-03-10 03:26
How Not to Write an API
bryan@pipedot.org
While creating an Android App for Criticker, a movie review and recommendation website, this author found some interesting security holes in their API.

Who knew that a LookupPassword function that returned any user's password in plain-text would be a bad idea?
Reply 0 comments