doge – Terence Eden’s Blog https://shkspr.mobi/blog Regular nonsense about tech and its effects 🙃 Tue, 15 Apr 2025 14:00:55 +0000 en-GB hourly 1 https://wordpress.org/?v=6.9.4 https://shkspr.mobi/blog/wp-content/uploads/2023/07/cropped-avatar-32x32.jpeg doge – Terence Eden’s Blog https://shkspr.mobi/blog 32 32 <![CDATA[Minor DogeAPI Security Flaw [Disclosed and Fixed]]]> https://shkspr.mobi/blog/2014/04/minor-dogeapi-security-flaw-disclosed-and-fixed/ https://shkspr.mobi/blog/2014/04/minor-dogeapi-security-flaw-disclosed-and-fixed/#respond Tue, 15 Apr 2014 11:12:39 +0000 http://shkspr.mobi/blog/?p=10344 As part of my "National Hack The Government" win, I was awarded 100 DogeCoin!

Although not my first foray into the exciting world of CryptoCurrencies, I'd never received DogeCoin before. I decided to set up an online wallet to temporarily store my loot while investigating more secure options.

More or less at random, I went with DogeAPI.com. After registering, I received this email.

DogeAPI Screenshot-fs8

Let's take a look at the code behind it...

<h1>Thanks for registering with DogeAPI.com, edent!</h1>
<p>You are almost done registering!</p>
<p>
 <a href='http://www.dogeapi.com/log_in?validate=zR1ag4ALNLkOz&user_name=edent'>Click here to verify your email and log in!</a>
</p>

Ah... Yeah, so anyone sat listening to your connection can see you making contact with DogeAPI, grab your username, cookies and - potentially - impersonate you.

12 hours after reporting the issue, the emails were fixed - and all connections were made over https.

Lessons

In this case, I was able to successfully connect to DogeAPI via an unencrypted connection. That should never be the case for a "secure" site.

If you are running a site which relies on trust - you must always make sure every connection is secure and that every link you send out starts with https://

]]> https://shkspr.mobi/blog/2014/04/minor-dogeapi-security-flaw-disclosed-and-fixed/feed/ 0