Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Which raises a question of how many services out there do have links that would delete your account without confirmation (or confirmation that could be somehow spoofed by client side JS).


How could you even implement an easy account deletion flow with un-spoofable confirmation if the whole client is considered untrusted?


Usually this is done by sending an nonce that must be sent back with the request to delete the account. The attacking site won't have the nonce, so it cannot delete the account.

Currently, you can also get a similar protection by requiring headers such as "Content-Type: application/json", since other sites will not be able to make that request.

Referer does work in some cases, but it is fairly common for users to disable the Referer, so relying on it for site functionality is not ideal.


How's the resource containing the nonce any more secure than just a plain "delete-account" endpoint?

Thinking about it, you could probably use CORS and some methods like X-Frame-Options to protect your nonce. But then you could just use that on the whole deletion page and avoid the nonce, I guess?


The nonce would only be available if you scrape the page while logged in and extract the logout URL, which is impossible with iframes.


Could you not still scrape the HTTP response for the page containing the nonce?


Not with a browser, no.


I think checking referrers is the normal way to solve this. As long as your site doesn't have XSS vulnerabilities on other pages, I think you're fine, but I'm not an expert though.

EDIT: Nonces are better, ignore this reply.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: