Hacker News new | comments | ask | show | jobs | submit login

Wait, yesterday? And the fix is already deployed to production today? That's either some truly impressive engineering from a company that made a freshman-year-level security mistake, or whatever patch they put in place to fix this is just as leaky as the original bugged version and it's just a matter of time.

Theory: Devops disabled the security flag on the JSON API, in order to perform integration tests, then didn't enabled it until reminded.

This for sure! My theory has also been that it's possible they literally just needed to add "if (subscriptionApproved) {" to the top. Not exactly a ton of code!

They just killed the try page entirely. It's now a redirect to the home page. Hopefully they don’t try to bring that page back up without fixing all the bugs...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact