For anyone who wants to understand why bobr is making a big mistake in his examples simply type the following into your browser address bar.
You will see the session automatically turns from a port 80 http session to a port 443 https session. In other words it defaults to SSL meaning communication to and from the API is encrypted.
Now do the same on his API
The session stays on port 80 as HTTP in plain text over the Internet.
No single transaction made on his platform is secure.
Worse still - and I'm not going to post how this can be done for obvious reasons - his entire system is exposed because he has an XSS vulnerability that took me about 5 minutes to work out.
(disclaimer for tech heads: ssl & http can go over any port but in this case 80 & 443 are the ones that apply here)
Code:
http://api.stripe.com
Now do the same on his API
Code:
http://www.coinsbill.com/api/invoice/
No single transaction made on his platform is secure.
Worse still - and I'm not going to post how this can be done for obvious reasons - his entire system is exposed because he has an XSS vulnerability that took me about 5 minutes to work out.
(disclaimer for tech heads: ssl & http can go over any port but in this case 80 & 443 are the ones that apply here)




Comment