Hacker Newsnew | comments | show | ask | jobs | submitlogin

Yahoo do something like this, they display a per user image on the login, presumably using cookies?



The only thing is, if you don't wait until the user starts entering the password, the attacker can theoretically scrape the page with your username and find out the per-user image.

-----


You don't get the image based on the username, the image is stored as a cookie, so it's showing you that the Yahoo you logged in to this time is the one that new your cookie details before. Even if an attack-site can read your cookie they don't know which image to pair it with (though maybe it can be taken from a local cache somehow?). The image is a per-device (or per browser?) security indication.

Details - https://protect.login.yahoo.com/login/set_pref?faq=1#faq2, it's called "yahoo sign-in seal".

-----


Oh! Well that's a smart idea... that's kind of like showing you your private "profile picture" when you are logged in.

But if you have a session cookie, then you hardly need a password. Unless we are talking about a public computer where you need to enter your password.

I am talking about the times when you DON'T have a session cookie, and you are prompted to sign in with a password. That's the thing that could be spoofed.

-----




Applications are open for YC Summer 2015

Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: