Hacker Newsnew | comments | ask | jobs | submitlogin
pbhjpbhj 558 days ago | link | parent

Yahoo do something like this, they display a per user image on the login, presumably using cookies?


EGreg 558 days ago | link

The only thing is, if you don't wait until the user starts entering the password, the attacker can theoretically scrape the page with your username and find out the per-user image.

-----

pbhjpbhj 557 days ago | link

You don't get the image based on the username, the image is stored as a cookie, so it's showing you that the Yahoo you logged in to this time is the one that new your cookie details before. Even if an attack-site can read your cookie they don't know which image to pair it with (though maybe it can be taken from a local cache somehow?). The image is a per-device (or per browser?) security indication.

Details - https://protect.login.yahoo.com/login/set_pref?faq=1#faq2, it's called "yahoo sign-in seal".

-----

EGreg 557 days ago | link

Oh! Well that's a smart idea... that's kind of like showing you your private "profile picture" when you are logged in.

But if you have a session cookie, then you hardly need a password. Unless we are talking about a public computer where you need to enter your password.

I am talking about the times when you DON'T have a session cookie, and you are prompted to sign in with a password. That's the thing that could be spoofed.

-----




Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: