Hacker Newsnew | comments | show | ask | jobs | submitlogin

It's not a client-side fix. Just stop the server from sending the token/link to the clients. Sure, that might degrade the client experience a bit(assuming that the client isn't just displaying a webview in which case no degradation would occur) but it would fix the problem for now.

Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.




Right. There's one developer at Skype who can just do that and push it to production, without talking to anyone else, or getting approval from anyone else.

Be realistic. If two people need to talk about it, it's going to take longer than 2 minutes.

-----


Longer than two minutes, definitely! More than 2 hours to investigate and fix? very doubtful. 3 months? That's a bit much...

-----


I see your not familiar with the nature of code deployments and everything that has to happen beforehand. ;)

The two hours were most likely spent on office politics as opposed to fixing the problem. I'm surprised it wasn't > 5 hours to be honest.

-----


Given your description I'm sure I'm lucky I'm not familiar with that. I've never worked at any place that has > 40 employees. If I can manage, I hope never to have to.

-----


Yeah, there's no doubt it sucks but so can working for smaller organisations. It's all about the people your working with. The bigger the company, the more deadwood you likely have to work with.

-----




Applications are open for YC Summer 2015

Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: