WingNews logo WingNews
top | item 26041455

(no title)

thrwaway2020aug | 5 years ago

Hello! Great product and congrats on the launch!

I wanted to pile on a little bit here and say this paragraph isn't really comforting to me:

> While unlikely to happen, it is possible for a savvy user to open their browser's developer console, obtain your MagicBell project's API key from your website's source, initialize the widget on their own website with your API key but with a different user's email (if its feasible for them to guess one) and start viewing notifications of that user.

I suspect this was done for developer experience reasons? You seem to know it's not secure to pass in an email directly, especially if anything sensitive is coming across in notifications.

For me at least, allowing the non-HMAC configuration makes me wonder what other security corners have been cut. I'd rather that option didn't exist and the company took a more security-forward stance.

discuss

order

unamashana|5 years ago

Edited the doc to remove the bit about this scenario being unlikely. We take security very seriously and would be happy to get feedback on the new copy (or any other aspect of MagicBell).

thrwaway2020aug|5 years ago

I see your point with Intercom, but it feels like you're arguing that two wrongs make a right. It doesn't make me think MagicBell takes security very seriously, but perhaps I'm just paranoid.

Regardless, the copy on the website is improved. You may also want to add a warning and link anywhere your website documents the "userEmail" option.

On another note, in terms of the implementation here, I'm surprised you're asking users to use HMAC and base64 manually, instead of using standardized JWTs. Did anything in particular motivate that decision?

I quite like the product overall - I think it's very clever how you componentized everything. The security decisions just have me concerned.

unamashana|5 years ago

I agree that this can be worded better and we will certainly do so. Thank you for your feedback. It's fairly common to see this pattern of HMAC off by default (ex: Intercom) to help people test their embed. Atleast at the moment we are in touch with everyone going live and make sure this is communicated to them (doing things that don't scale).