

How “../sms” could bypass Authy everywhere - homakov
http://sakurity.com/blog/2015/03/15/authy_bypass.html?2

======
rtpg
Yet another problem that could be solved with good typing :)

Seriously though, it's very worrying to me that so many low-level ruby
libraries have so many issues. I realise bugs happen, but at least in the
python world there seems to be less "oh whoops the most popular OAuth provider
lib is susceptible to CSRF"-type bugs.

~~~
vsync
But there was no user story in which the user typed "../sms"! You seem to be
encouraging thinking about scenarios like this in advance, a.k.a. BDUF.

