Mark Dain Found a minor security vulnerability at work; some genius decided to encrypt the user ID cookie but there's no verification so it's fairly easy to tamper with (take another number from a different cookie); doing this will result in you being logged in as a different user. How do I ethically deal with this? Should I report it? Bear in mind this is a company who's fine with our SSL setup, despite the fact it's vulnerable to POODLE and others (but not heartbleed! That's the important one).
7y, 49w 4 replies ¬