This is a great post, it captures the true essence of an engineer. It is funny, intriguing, and inspirational. Congrats! You are a hacker at heart.
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
var httpClient = new System.Net.Http.HttpClient();
httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");
while (true)
{
var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));
var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));
var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");
passwordRange.EnsureSuccessStatusCode();
var allhashes = await passwordRange.Content.ReadAsStringAsync();
var splitHashes = allhashes.Split(Environment.NewLine);
var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
if (compromised != null)
{
Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
Console.WriteLine($"Hash: {hash}");
return;
}
await System.Threading.Tasks.Task.Delay(1_000);
}
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.
> A Pass Type ID certificate from Apple Developer Portal
How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
"and very good reasons for not implementing Apple Wallet"
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
Ya and if they add apple wallet they have to do android wallet and then that’s more code to maintain. But they could make the in house app always show the QR code on launch.
Did I interpret correctly that this sends a push notification every minute telling your phone to download a new code? If so, that seems like a battery problem…
You can send background push notifications which are delivered when the phone is ready for them. They don't deliver when the phone is low battery or in low battery mode. It's specifically made to reduce battery consumption.
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
on security theater: the morons running my garbage company demand not just a email + pass but also security questions in order to login and... pay your bill. That's the functionality available.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
In the past, every company thought they were the next Facebook and needed to build complex super-scalable architecture because tomorrow a million users would appear out of nowhere and try to log in at the same time.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
> Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
This is likely a false positive, if chrome is using haveibeenpwned API.
e.g. A pin of 87623103
Hashes to 558B4C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
We get the range from HaveIBeenPwned:
https://api.pwnedpasswords.com/range/558B4
And search for C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
And see it's "Compromised" and seen 3 times before.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
Because if you know someone's email address, it sounds like you get API access fairly quickly after that?
Also I trust that the scopes that you can ask for are limited appropriately?
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
"You're right, keep it on the 2028 roadmap"
That would be my experience in tech at least.
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
In conclusion: we're doomed.
[1] https://therecord.media/seattle-fred-hutch-cancer-center-ran...
...or if they do have an attendant there, why can't they let you in with a friendly greeting like they used to in some imagined past?
> // Device wants updates! Store that push token like it's bitcoin in 2010
...really had me raising my eyebrows. Along with the mixed em-dash and hyphens and the AI generated images on the page.