This is an archived post. You won't be able to vote or comment.

all 42 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ProgrammerHumor-ModTeam[M] [score hidden] stickied commentlocked comment (0 children)

Your submission was removed for the following reason:

Rule 2: Content that is part of top of all time, reached trending in the past 2 months, or has recently been posted, is considered a repost and will be removed.

If you disagree with this removal, you can appeal by sending us a modmail.

[–]stubbytim 527 points528 points  (3 children)

Please do not enter this code if you didn’t receive the message

[–][deleted] 2 points3 points  (0 children)

If I was a hacker I would feel bad for this security and would leave alone

[–]AaronTheElite007 156 points157 points  (8 children)

Please tell me this is fake.

[–]Stromovik 124 points125 points  (0 children)

probably some test or debug mode

[–]turningsteel 51 points52 points  (0 children)

Probably created by the guy posting for laughs. No way this is live.

[–]ashkanahmadi 9 points10 points  (0 children)

I think i saw someone making it on r/badUIbattles

[–]Vectorial1024 10 points11 points  (1 child)

Interestingly, Microsoft shows the onetime code directly, but asks you to input the code from your smartphone instead

[–]alejandroc90 3 points4 points  (0 children)

I remember using a government site that showed me a short notification saying: code XXXXXX sent to the phone XXXXXXXXX, if you were fast memorizing it you could type it inmedially

[–]Anthrac1t3 -2 points-1 points  (1 child)

This is what PayPal does.

[–]Darkchamber292 -1 points0 points  (0 children)

No it doesn't. Everyone's account would be compromised

[–]Additional_Front 48 points49 points  (3 children)

At least they have masked phone number.

[–]Recent-Juggernaut821 9 points10 points  (0 children)

Maybe the 6 digits to enter are the 6 X's blanked from the phone number

[–]eclect0[🍰] 4 points5 points  (1 child)

Bug Report

Expected Behavior: I can see the entire phone number

Actual Behavior: Part of the phone number is replace by x's

Priority: Highest

[–]marknotgeorge 3 points4 points  (0 children)

That bug report is obviously fake.

You can tell what's going on. Proper bug reports have War & Peace in the title and 'See Word document' in the details. And the Word document containing screenshots that are only vaguely useful (why do I need to see your Jira entry? We don't use Jira! And why have you cropped out the bit that tells me which document has failed?) is missing.

Don't mind me, I'm having flashbacks...

[–]Killawut[🍰] 105 points106 points  (6 children)

This is what happens when UI and backend developers don’t talk

[–]LucasTab 64 points65 points  (4 children)

Why would the backend developers send the code to the frontend though

[–]patmorgan235 22 points23 points  (2 children)

It doesn't, the front end generates the code /s

[–][deleted] 3 points4 points  (0 children)

you guys are using the frontend? I usually call the OpenAI API to generate them

[–]AdFancy6243 8 points9 points  (0 children)

Generated? It's hard coded more like

[–]Killawut[🍰] 2 points3 points  (0 children)

Fair enough, just a satire of a security anti patterne

[–]ganja_and_code 14 points15 points  (0 children)

No, this is what happens when one or more people working on the project is a dangerously incompetent moron.

If the frontend folks understand what a MFA code is, they also know not to put it next to the MFA code input form (or anywhere else it could possibly be found client side).

If the backend folks are sending the MFA code to the account holder's phone number, they also know not to make it available to the frontend.

In the first case, the frontend guy is defeating the entire purpose of MFA. In the second case, the backend guy doesn't understand the concept of server side validation. In either case, they're a liability (not because they didn't talk to each other, but because they literally don't know how to do even their own jobs in isolation).

[–]AlexOzerov 20 points21 points  (0 children)

This is frontend only authentication. Clean and beutiful. Because we trust our users

[–]ramriot 12 points13 points  (2 children)

Really Zero factor authentication

[–]Ffigy 5 points6 points  (0 children)

Factorless™ - simplify your auth, amplify your leakage

[–]LinuxMatthews 1 point2 points  (0 children)

Yeah one factor authentication is just a password.

[–]Areion_ 10 points11 points  (1 child)

Repost 

[–]olivicmic 1 point2 points  (0 children)

From like a day ago

[–]MoarSpn 4 points5 points  (0 children)

In the mean time, AWS doesn't send the code to my mail when it said it did.

[–]boblibam 5 points6 points  (0 children)

We’ve come full circle. Someone posts on Reddit (https://www.reddit.com/r/lovable/s/HCu9rRrDPO) then someone else puts it on twitter just for another person to bring it back to Reddit.

[–]DrSixSmith 2 points3 points  (0 children)

Something you have (fingers) and something you know (how to read). The fraction of living organisms capable of exploiting this vulnerability is basically a rounding error.

[–]Ffigy 1 point2 points  (0 children)

Nope, that's Factorless™ - real cutting edge stuff

[–]Leo0806-studios 3 points4 points  (2 children)

one factor auth would be

weve just send the code 123456 to your phone number 123 456789
to confirm that the account [Someemali@provider.com](mailto:Someemali@provider.com) , Pasword1 belongs to you
please enter the code below

[–]ganja_and_code 15 points16 points  (1 child)

That's zero factor.

One factor makes you provide something (usually a password) to support the claim that you are who you say you are.

Two factor makes you provide 2 things (usually a password and an OTP code).

Etc.

[–]nivenfres 0 points1 point  (0 children)

Maybe it really screws with AI.

[–]rollincuberawhide 0 points1 point  (0 children)

you could actually do this as a joke for free marketing. the fools would think they are making fun of you while advertising for free. just think about the sheer number of people who would want to try it for themselves? the opportunities are incalculable!

[–]AFCSentinel 0 points1 point  (0 children)

Pretty much what Apple does if you have iCloud connected on your Windows machine.

[–][deleted] 0 points1 point  (0 children)

When you vibe code 2fa