Tarsnap email confirmation bypass

The value of writing comments intended for your future self was confirmed in a strange way for me: I once found myself googling some faintly obscure question of systems programming, and soon found an article that answered my question perfectly. At that point I noticed with considerable surprise that I was reading a web archive of a Usenet posting I had made myself, some 10 years prior - of all the people to randomly run into on the Internet, your past self is one of the strangest.

There was a paper a couple years ago out of Microsoft research (if I recall correctly), that looked at a number of vulnerabilities in OAuth as used by Facebook, Twitter, and a few others. The ah-hah moment for me, though, was that they identified these vulnerabilities by turning the usual view of a web app inside-out: instead of viewing the client&#x2F;browser as one endpoint on a communications channel, they treated the browser as a <i>de facto</i> man-in-the-middle. For OAuth, it is responsible for passing along messages between the OAuth provider and the authentication requesting website. In the case described in this article, the browser is just a MITM for a server sending messages to itself.

I love writeups like this, and enjoyed the level of detail Colin provided.<p>I take away a different lesson, though: even simple web security is easy to get wrong, even for a very smart, very talented developer. I&#x27;m not sure what the solution is, though.<p>As for the comments, while I don&#x27;t take a hard line here, I agree with Bob Martin&#x27;s quote: &quot;Every time you write a comment, you should grimace and feel the failure of your ability of expression.&quot; Wherever possible, you are better off rewriting the code and variable names to clarify <i>in the code itself</i> whatever you wanted to say in the comments. It&#x27;s hard to say how to accomplish that here without knowing more about the code, though. And it may have been so difficult that a comment was the right choice.

Lesson of the day: Hidden form values are not hidden from the user, they just aren&#x27;t plainly visible to the user on screen.<p>Never &quot;hide&quot; sensitive data in those hidden input fields.

I love that colin got trapped by his weirdly pedantic obsession with Canadian invoices. I hope the next bug involves picodollars.

&gt; That last part is ultimately the most important lesson from this: Comments matter!<p>In most cases, logically granular commits with good commit messages, and a knowledge of `git log` and `git blame` etc, is better than leaving comments. Comments can easily get out of sync with reality (see <a href="https:&#x2F;&#x2F;twitter.com&#x2F;nzkoz&#x2F;status&#x2F;538892801941848064" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;nzkoz&#x2F;status&#x2F;538892801941848064</a> ) and create a lot of noise that make reading the code harder (especially when the comment and code contradict each other).<p>I only leave brief comments where some code is necessary but at a glance doesn&#x27;t look right, or has a non-obvious reason. But first I find a way to make it look right or be obvious.

Does he mean &quot;token&quot; instead of &quot;cookie&quot;?

tl;dr<p>a friendly guy reported to tarsnap that you could sign up without needing the emailed confirmation link by creating that same confirmation link yourself with the cookie&#x2F;token being hidden, but present in the HTML code.<p>also, there is no bug bounties for the tarsnap website, only for tarsnap code.

thankyou x