Hacker News new | past | comments | ask | show | jobs | submit login

Are you saying that the password field returned a password hash of the correct password when you mistyped it?

That's extremely bizarre.




The specifics of it escape me at this point. My guess is that it was a hash of the incorrect password. That wasn't necessarily the security risk, but it did spark my curiosity that led to the rest.


Seems like some misused form framework. They were potentially striving for Facebook-like functionality ("Hi Tom, welcome back") and got it wrong.


Tom never used Facebook. He preferred a different social networking platform.


I reported a similar issue in GitLab a while back where an incorrect password, entered in the login form, was echoed back to the user in the registration form! IIRC the registration form was picking up on the validation failure in the login form and filling itself in with the submitted form details.


I hope we fixed that.


Yes, I reported it as https://gitlab.com/gitlab-org/gitlab-ce/issues/14552 (confidential so you need permission to see) and it was fixed in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3691


Cool, I removed the confidentiality from the issue. Thanks for reporting this.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: