Reason about the software as if it has already been compromised. Think about how... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		chromakode on April 21, 2016 \| parent \| context \| favorite \| on: How I Hacked Facebook and Found Someone's Backdoor... Reason about the software as if it has already been compromised. Think about how user credentials and private keys the server touches can be used to attack other internal services, and try to limit the scope as much as possible.

tptacek on April 21, 2016 [–]

Which is apparently exactly what Facebook does with this thing.

Guvante on April 21, 2016 | [–]

To be fair it looks like they aren't purely using SSO which is what provided the credential scrapping attack vector that was used by someone else.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact