I may be missing something, but it seems to me that's still vulnerable to interc... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		gliese1337 on Oct 12, 2012 \| parent \| context \| favorite \| on: Exploiting filepicker.io I may be missing something, but it seems to me that's still vulnerable to interception. The policy document can limit the kinds of things that can be uploaded, but an attacker could still intercept that form on the way to or from the user and replace the intended user's data with anything else that happened to fit the policy. I suppose that's solved by serving the form over https. Perhaps that's just what I was missing.

adatta02 on Oct 12, 2012 [–]

HTTPs would work but also if you scroll down a bit and look at the policy JSON (http://pastie.org/private/tkr7iyqzqrezmmqazbfijw), it has an "expiration" field which would mitigate the type of attack outlined in the parent post since after a period of time the signature would no longer be valid.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact