Hacker News new | past | comments | ask | show | jobs | submit login

> The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token

Is this like the PayPal XSRF vulnerability where any issued XSRF token was considered valid regardless of the user trying to use it?

I’d expect Google to have some standard way to handle this stuff.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: