Authy got hacked, and 33 million user phone numbers were stolen - eviltoast
    • kitnaht@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      8
      ·
      edit-2
      6 months ago

      Hint – by manipulating or exploiting its code

      Which I am explaining, they…did…not…do…

      They did nothing to the code. They didn’t break the code, they didn’t cause the code to do anything it wasn’t designed to do. They did not exploit any code. They used an API endpoint that was in the open. For its intended purpose, to verify phone numbers. The api verified phone numbers, they verified phone numbers with the api. The only thing they did here…was they did verification on a lot of phone numbers.

      • Guest_User@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        6 months ago

        They absolutely exploited unintended functionality. If this was intended, they wouldn’t have added rate limiting and locked down the api after. It was clear to say this was certainly not an intended use of the api.

        In a video game for example, if there is a an item that caused excessive lagging just by placing the item. Placing a lot of them with the intent to lag the game would be an exploit. They only used items sanctioned by the game, but for unintended reasons and they would likely be banned for exploitation.