zlacker

[parent] [thread] 6 comments
1. romed+(OP)[view] [source] 2018-09-29 00:55:07
That doesn't just seem like a few unlucky coincidences. That seems like a fundamentally unsound design. Why should it even be theoretically possible for a request under the authority of one user to create a token with the authority of another user?
replies(3): >>flgr+j >>calc_e+O >>everde+e2
2. flgr+j[view] [source] 2018-09-29 01:02:57
>>romed+(OP)
Notably, they previously had issues were "View as" allowed you to view notifications and messages of the user you were viewing as.

If they'd done a proper post mortem and corrected the fundamental issue, and made sure it wouldn't have re-occured, this should not have happened.

replies(1): >>bigiai+a8
3. calc_e+O[view] [source] 2018-09-29 01:16:46
>>romed+(OP)
Yeah, sounds like https://en.wikipedia.org/wiki/Confused_deputy_problem to me.
4. everde+e2[view] [source] 2018-09-29 01:42:08
>>romed+(OP)
Not the root cause, but I'm guessing a microservice architecture made it more possible. It sounds like both the token generating service and the video upload service have bugs.
◧◩
5. bigiai+a8[view] [source] [discussion] 2018-09-29 03:58:02
>>flgr+j
Instead they moved fast and broke things.
replies(1): >>nautil+U8
◧◩◪
6. nautil+U8[view] [source] [discussion] 2018-09-29 04:17:25
>>bigiai+a8
Its more important for you to move fast and break things and make us money than to move slow and do things the right way. The life of an engineer...Do it now! why did you do it that way!? Now we are screwed??
replies(1): >>pyman+hV1
◧◩◪◨
7. pyman+hV1[view] [source] [discussion] 2018-09-30 10:20:59
>>nautil+U8
Facebook’s php developers like to move fast and break things. Bad design choices, monkey patching, breaking things on production, it’s all part of Facebook’s “engineering” principles.
[go to top]