介绍：Share access to accounts without sending a username/password
Rick Kats: nice :) looking forward to test this
Martin Saint-Macary: Great idea. How do you ensure that the session expires?
Dan Rosenshain: This is a good idea but should work P2P and not hosted on your website. you're making yourself a goldmine of accounts for hackers. I think there are better ways to implement it without going through your server.
Hank Andre: This is a great idea, but many services are moving from cookies to JSON Web Tokens. Do you have plans to account for JWTs?
P.E. Butler III: Well done!
Ben Tossell: This is pretty sweeeeet
Walter Reid: Very cool idea!
Simon St John: Great idea....so useful! Thanks for the innovative idea.....
v. elegant solution & solid product history under @jarredsumner's belt
give this man lots of twitter follows+money
Inlovewith01: Wow great, I like this! It's very useful :)
Finally a useful Chrome extension! ;)
Missing one small feature:
Ouriel Ohayon: Could netflix block you for using such a service?
Shmatkov Mykola: It's like a magic! Very useful tool to collaborate with teammates from abroad
Ben Lang: Obsessed with this product. Amazing execution Jarred. Was glad to help out 👍
Rodrigo Hillion: so cool!
Michael Benson: This is seriously awesome. I would love to see a way to manage the passwords I have shared with people.
Germán Castaño: This idea es very cool, and solves a common issue in a very simply way. Great work. You have to be careful with the links shared while the link is active, but is very useful.
Hunter Owens: Oooh, this is awesome
Sachin: This is fucking amazing. :p
Jarred Sumner: I'm currently figuring out what's next for me. If you have any ideas, email me: email@example.com :)
Jack Smith: looks like a great idea, built on some solid technology
Jon: first Lockitron and now this?! Amazing!
Romain Bessuges: Brilliant idea!
Bartosz Bąk: HBO GO won't work :(
Akash Porwal: Useful tool. An option to select the time period over which to give access would be an advantage. Nicely done @jarredsumner
Akash Porwal: @jarredsumner Cool. I guess it will evolve with time. Its really good for 1.5 days effort.
Jarred Sumner: @codeslayer1 I want to do that but I built this in 1.5 days so I didn't really have the time to add that in yet. I made it so the Access URLs themselves expire by default within a week though.
Jarred Sumner: @germancastano Thanks Germán!
Jarred Sumner: @ourielohayon This still uses their own interface! They can just expire the cookies and the specific access URL will stop working.
Ouriel Ohayon: @jarredsumner they do. but using their own interface for it so they can control abuses. not sure how they will see it
Jarred Sumner: @hankandre Probably someday! Thanks for the feedback.
Hank Andre: @jarredsumner For sure. Thanks for building such an extremely useful extension!
Jarred Sumner: @danr_4 yes I need to make it have better messaging around the screenshots and let people disable that if they prefer not to. Thank you for calling me out on that. The point of the screenshot is so the end user knows what they're going to see after they sign in, it's a better UX -- and if you're going to give them access, then they're going to see more than just that screenshot. But. That's something I need to make more clear and still give an opt-out, so thanks for telling me 😄
@jarredsumner yeah but you just need to open a connection to pass the cookie as a (possibly encrypted) text message, then you can close it. so your extension launches a local web page (or even embedded in the extension window itself), you enter the user identifier, wait for a connection from the initiator, pass the cookie, and there you have it.
Just a suggestion. But this is really great, I often find myself in a situation where I need to give someone access to a sensitive site for a short time. Will use this.
EDIT: saw it takes a screenshot of the page I'm sharing. that's a bit creepy. I don't see me using it without an option to NOT take screenshots. instead there could at least be an option to have your server screenshot the homepage instead of capturing the page I'm on.
@danr_4 webrtc is a good idea
The challenge there if I remember correctly how it works, is that then both browsers have to keep the page open for the other user to get access. That's a worse UX :(
@danr_4 yeah I may increase the length of the password later.
It passes an ID of the session too -- and that is what gets read in from the server to know which encrypted cookie the client should receive. That ID is just a random string though (not the password)
Another thing is that these are session cookies, which often expire -- and the access URLs by default expire too. These things make it additionally more challenging from a security perspective for an attacker to make any use of this
Dan Rosenshain: @jarredsumner you're right. it's a good implementation, but still vulnerable to brute force attacks. I'd use a longer password (26+ chars) as it won't hurt the UX but it will immensely help against brute force attacks. But wait a second, how do you know which password is for which cookie when the only data you are passing (through the url) is the password? You can also use WebRTC to send text messages, and instead of the password being an encryption key, it could be a user identifier, and your servers sends the users details to each of the peers to create the WebRTC connections.
Jarred Sumner: @benln Thanks for letting me use AccessURL to post this to Product Hunt using your account :)
David/Ryal/Pug: @jarredsumner did you ever meet that other thiel fellow 'kid' who was working on next-gen holograph/hologram stuff? i helped judge some thiel event in SF and it seemed likely he would get swept up by In-Q-Tel (💰💰💰)
Mike Desjardins: @jarredsumner that is damned clever. So it's kinda sorta like shared secure side-jacking but used for good.
Ben Tossell: @jarredsumner yeah definitely and I think lots of people will appreciate that. I was asking because of the cookies and security concerns to be honest. Thanks!
Then, when another user goes to your access URL, the chrome extension takes the password from the URL (which is what shows up in the #), it decrypts the cookies, and then adds them to Chrome's cookie jar.
It'd be way easier honestly to just store all the cookies on the server without this encryption, but a product like this is dangerous without a lot of thought put into security. It's worth the extra effort on my part to do right by users.
Michael Mroz: @fokusman @fuater @lasserafn @yefim That doesn't really sit well with me. This is security software. Any feature that obscures the degree to which you have control is not a feature that should be implemented, imo.
Austin Heap: @mroz_io @fokusman @fuater @lasserafn @yefim This product creates a security vulnerability for users where one didn't previous exist. It seems absurdly irresponsible to market it without such a warning.
Lasse Rafn: @yefim this is likely to be impossible (at least 100%) sure the link can expire but nothing prevents the receiver from saving the cookies for later :/
Jarred Sumner: @yefim I should build that!!
Jarred Sumner: @lasserafn chrome extension could mitm sites using access URLs via webRequest API and then the only way to get the cookies yourself is to use Wireshark or Charles w/ trusted self signed cert, but yeah not 100% solution. The 100% solution is probably a proxy, which has other issues (streaming netflix through a proxy is bad)
Fuat Ertunc: @lasserafn @yefim That's right - it is an easy to use tool but you cannot call it secure. Also if the web app you login allows this it is a high chance that it is open to cross site scripting and csrf attacks. Still good job! Looks like you turn a trivial hacking method to something enjoyable, at least for some folks ;)
David Feng: @jarredsumner There are likely interesting niches you can explore that go beyond pw management. I might use this to demo some of our product's features using actual accounts now rather than pure demo accounts. Thanks for building this!
Martin Saint-Macary: @jarredsumner Ok, but once someone have accessed it, they can still have access to the account you've shared until the cookie hasn't expired, right?
Jarred Sumner: @davidryalpug 💰💰💰
Jarred Sumner: @rorybro Thanks Rory!
applab: @jarredsumner the better is proxy with VPN, to be more secured?
Jarred Sumner: @louismagnotti Thanks Louis! It's just Postgres. Nothing fancy :-)
Jarred Sumner: @shmatkov_mykola Thanks Shamtkov!
Jarred Sumner: @davidsfeng that's an interesting idea! I hadn't thought about that
Jarred Sumner: @davidsfeng I have no idea how I will monetize it. Maybe it turns into a B2B Password Manager for teams? There aren't any limits right now, except like a filesize limit on the screenshot and this is currently hosted on 1 digitalocean box...which hopefully won't get overloaded
David Feng: @jarredsumner Ah sweet. URL manager is a good touch. How will you be monetizing this potentially? Is there a limit to usage?
Jarred Sumner: @davidsfeng Yes, the link will stop working in either 24 hours, 1 week, or indefinite -- and it defaults to 1 week. It prompts you to choose before you create the access URL. You can delete the access URL at any time by going to https://accessurl.com/manage-urls
Jarred Sumner: @mdesjardins :)
Jarred Sumner: @byoigres thanks!
Jarred Sumner: @ourielohayon Maybe. But they seem to like sharing accounts: https://techcrunch.com/2016/01/1.... I know that I only started paying for Netflix after someone else shared theirs with me.
Jarred Sumner: @marcelpanse <3
Jarred Sumner: @borisunited Thanks Boris!
@jarredsumner You can check out their FAQ https://www.mywot.com/en/faq/sit...
One thing they recommend is submitting a review request.https://www.mywot.com/en/faq/sit...
That will notify the people who rated it before that they should rate it again and hopefully be enough to reverse the score.
Just writing a post on their forum might help to get the community to rate it.
I have it rated as good and posted a comment about previous owners :)
Alex Wolkov ☭:
@ekosz1 Yeah, I've taken a look, wish I had more time to dive in.
But you can also update chrome extensions without user knowledge pretty easily and in the span of 4 hours.
Jarred Sumner: @tj_mahony Thanks TJ!
Jarred Sumner: @adelee_design <3
Jarred Sumner: @pebutler3 thanks!
Jarred Sumner: @altryne I'm going to strongly consider open sourcing this. Right now, the first thing I'd do if I wanted to poke around in the code is take a look at the Chrome extension in chrome dev tools. You'll find that the cookies are encrypted and sent without the password to the server only after being encrypted
Eric Koslow: @altryne Since this is a chrome extension you can at least view all of that source code to verify you're only ever sending encrypted data to the server.
Jarred Sumner: @cemkozinoglu <3
Jarred Sumner: @rotemthegolfer a lot of them! Netflix, HBO GO, HN, Product Hunt, most things rely on cookies and don't do many fancy things
Jarred Sumner: @edholloway that's a great question, and the honest answer is...maybe? I think most sites tend to store important stuff in the backend and stuff that's less important on the client. The goal here is to make it work really well for the most popular sites people use this for, and it seems like it does, so far.
Jarred Sumner: @tonybrix oof, that is something I didn't check before choosing this domain. It sounds like I'll have to send email someday through a different domain 😟 - or is there some way to prove to them it's a different owner so the score should get reset?
Jarred Sumner: @chirpingsha <3
Sergio Flores: @jarredsumner this is pretty cool.
Jarred Sumner: @danr_4 I'd love to find a way to make it work P2P. Fortunately, all session cookies are encrypted before reaching the server and the server never gets sent the password (not even in the logs). That means if someone did manage to get access to the database, all they'd get is a bunch of encrypted data without a way to use it. It also doesn't keep emails or any other personally identifiable information. It'd be really hard for a hacker to do anything at all with the data (or me, even)
Jarred Sumner: @rmilovanov Thanks Roman!
Jarred Sumner: @gpuntob thanks Giordano!
Jarred Sumner: @codeslayer1 thanks. It'll evolve w/ time :)
Jarred Sumner: @otymix you're welcome! Let me know if you have any questions or feedback on AccessURL
Jarred Sumner: @ze_rusty ❤ ❤ ❤
Jarred Sumner: @donte_ll Thanks Donte!
Ben Tossell: @jarredsumner Can you tell us about how it works technically?
Jarred Sumner: @simonstjohn thanks
Jarred Sumner: @rickats let me know what you think!
Jarred Sumner: @rbessuges <3
Jarred Sumner: @_jacksmith Thanks Jack!
Jarred Sumner: @owens Thanks Hunter!
Jarred Sumner: @rohillion Thanks!
Jarred Sumner: @bentossell Thanks!
The following information is related to the job
Gimlet Media : A network of high-quality, narrative podcasts--- Editorial, Production & Engineering ---Brooklyn, NY
InVision: Prototyping & collaboration for design teams--- Design Researcher ---New York City
Quora: Share and grow the world’s knowledge--- Product Designer ---Mountain View, CA
Skurt: Tap a button, get a car delivered to your door--- Software Engineer ---Los Angeles
Buffer: Simple, powerful social media--- VP of Product---🌎
InVision: Prototyping & collaboration for design teams--- Senior Graphics Engineer---New York City