Web Security

In October 2016, a security researcher discovered a misconfigured CORS endpoint on a major bitcoin exchange. By exploiting a simple header reflection vulnerability, they could have stolen users’ API keys, disabled notifications, enabled two-factor authentication to lock out account owners, and transferred bitcoins to any address. They reported it instead. The bug bounty payout was substantial. Three different bitcoin exchanges were found vulnerable to similar CORS misconfigurations during the same research period. ...

The “Sign in with Google” button seems straightforward. Click it, authenticate, and you’re in. But behind that simple interaction lies one of the most widely deployed authorization protocols in computing history—a protocol that was never actually designed for authentication. OAuth 2.0, published as RFC 6749 in October 2012, emerged from a practical problem: how do you let a third-party application access your data without giving it your password? The solution involved a clever dance of redirects, temporary credentials, and cryptographic proofs that billions of users perform daily without understanding what’s happening. ...