Sometimes people ask for features that are such blatant security holes I don’t know what they were thinking.<\/p>\n
Is there a way to get the current user’s password? I have a program that does some stuff, then reboots the system, and I want to have the current user’s password so I can log that user back in when I’m done, then my program can resume its operation. <\/p><\/blockquote>\n
(Sometimes they don’t bother explaining why they need the user’s password; they just ask for it<\/a>.)\n Imagine the fantastic security hole if this were possible. Anybody could write a program that steals your password without even having to trick you into typing it<\/strong>. They would just call the imaginary
GetPasswordOfCurrentUser<\/code> function and bingo! they have your password.\n For another angle on credential-stealing, read Larry Osterman<\/a>‘s discussion of why delegation doesn’t work over the network<\/a>.\n Even if you didn’t want the password itself but merely some sort of “cookie” that could be used to log the user on later, you still have a security hole. Let’s call this imaginary functionGetPasswordCookieOfCurrentUser<\/code>; it returns a “cookie” that can be used to log the user on instead of using their password.<\/p>\nThis is just a thinly-disguised
GetPasswordOfCurrentUser<\/code> because that “cookie” is equivalent to a password<\/strong>. Log on with the cookie and you are now that person. <\/p>\n","protected":false},"excerpt":{"rendered":"Sometimes people ask for features that are such blatant security holes I don’t know what they were thinking. Is there a way to get the current user’s password? I have a program that does some stuff, then reboots the system, and I want to have the current user’s password so I can log that user […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2,141],"class_list":["post-35713","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history","tag-when-people-ask-for-security-holes-as-features"],"acf":[],"blog_post_summary":"
Sometimes people ask for features that are such blatant security holes I don’t know what they were thinking. Is there a way to get the current user’s password? I have a program that does some stuff, then reboots the system, and I want to have the current user’s password so I can log that user […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/35713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=35713"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/35713\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=35713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=35713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=35713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}