undefined | Better HN

0 pointsSolvitieg5y ago0 comments

I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.

Tweeting on behalf of another user seems like an unnecessary feature to give admins.

0 comments

Widdershin5y ago

I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.

To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.

dlgeek5y ago

Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.

j / k navigate · click thread line to collapse

0 comments

Widdershin5y ago

I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.

To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.

dlgeek5y ago

Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.

j / k navigate · click thread line to collapse