Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Here was a dumb one from me the other day.

- I had to use login.gov

- My password manager had a saved login for it, I didn’t remember it, but it worked

- Then the site asked me for an authenticator app code. I checked my authenticator apps and there was nothing there for login.gov.

- There’s a login another way button so I click that and the other way is use the authenticator app!

- I click what if I can’t get my code?

- It says I must DELETE my account.

- I click to delete my account and it sends me an email.

- The email says to wait 24 hours for another account deletion email.

- 24 hours later I get an email that allows me to delete my account.

What was in the account? I have no idea, but it seems that it must be sensitive for some uses of the login. But if it’s sensitive and important why am I able to delete the account, the most destructive thing? Why is an email enough for me to delete it but not enough for me to get an auth code?



I would guess that the 24 hour delay is to allow the real owner of the account a change to cancel the delete if someone tries to mess with their account.

That said, you're right. This is really weird.


How is the real owner going to know to cancel the delete? Did it send them...an email?


It's been too long and I don't clearly remember, but I think I had to use login.gov to establish an account for mumble. There was an option to print out a onetime pad (for 2FA); I chose it just for kicks. Haven't used it but I have it on file "against the day" I lose my normal second factor.


While an attacker being able to use just a password (and no 2fa) to delete someone else’s account is pretty bad, stealing information from their account may well be worse. There is a lot of personal information that I have that I'd rather see destroyed than fall into the wrong hands.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: