How will you handle Yahoo's recent authorization bug in your app?

1 pointsreinwald11y ago1 comments

This is with reference to http://thehackernews.com/2014/05/vulnerability-in-yahoo-websites-allows.html

Authentication normally has three steps:

1. Authenticating User : username, passwd verification i.e a valid yahoo user 2. Authorizing Action (role based access): whether user is allowed to perform the action i.e user is allowed to delete comments 3. Authorizing Entity : verify user owns the entity i.e user is allowed to delete only his comments.

How do you handle the third step in your application ?

1 comments

kiritsinh11y ago

i think what we can do is to run static code analysis to ensure all public methods have the third level authentication written in it. However it won't solve problem of making mistakes in the db queries. would love to see other's answers here if we can come up with generic full-proof solution.

j / k navigate · click thread line to collapse

How will you handle Yahoo's recent authorization bug in your app?

1 pointsreinwald11y ago1 comments

This is with reference to http://thehackernews.com/2014/05/vulnerability-in-yahoo-websites-allows.html

Authentication normally has three steps:

How do you handle the third step in your application ?

1 comments

kiritsinh11y ago

j / k navigate · click thread line to collapse