How will you handle Yahoo's recent authorization bug in your app? | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

		How will you handle Yahoo's recent authorization bug in your app?
		1 point by reinwald on May 26, 2014 \| hide \| past \| favorite \| 1 comment
		This is with reference to http://thehackernews.com/2014/05/vulnerability-in-yahoo-websites-allows.html Authentication normally has three steps: 1. Authenticating User : username, passwd verification i.e a valid yahoo user 2. Authorizing Action (role based access): whether user is allowed to perform the action i.e user is allowed to delete comments 3. Authorizing Entity : verify user owns the entity i.e user is allowed to delete only his comments. How do you handle the third step in your application ?

kiritsinh on May 26, 2014 [–]

i think what we can do is to run static code analysis to ensure all public methods have the third level authentication written in it. However it won't solve problem of making mistakes in the db queries. would love to see other's answers here if we can come up with generic full-proof solution.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact