Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think this is a valid observation and the affected apps should either add auth to resources they control - shared or not - or use an UUID to store it so names can't be guessed.

This only works because the attacker knows the URL.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: