I'm very curious why the code but not the QR is obfuscated in ... • Aaron Parecki

👉😎👉 Jay Phelps https://twitter.com/_jayphelps • Jan 4
PSA to all TV app developers: when a user first signs-in please add a QR code that contains the “sign-in through your browser” URL along with the unique code as a query parameter.

It will delight your users who have a phone that supports it (most do now)

Examples 👇

I'm very curious why the code but not the QR is obfuscated in the first one, but the QR and not the code is obfuscated in the second one... they contain the same data! But yes this is a good UX improvement on top of the OAuth device flow 👍

Portland, Oregon • 41°F

Tue, Jan 4, 2022 10:05pm -08:00

2 likes 5 replies
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  Fair! Thankfully these codes come from the authorization server rather than the app, so unless you're also building our own AS there's less of a chance of messing that one up! Your comment about the QR code is spot on tho! That's an optimization the app dev can do for better UX
  
  Wed, Jan 5, 2022 2:04pm +00:00 (via brid.gy)
- Tobi Adeleke twitter.com/TobiAdeleke4
  
  Same here but Lab_cyber on Instagram help me fix mine successful after a long wait go follow them for help
  
  Wed, Jan 5, 2022 8:03am +00:00 (via brid.gy)
- 👉😎👉 Jay Phelps twitter.com/_jayphelps
  
  Hopefully so! I wouldn’t personally bet that the devs of every TV app correctly expire these codes within a short time frame 😅 I’ve seen far worse security gaffes, I’m sure you have too.
  
  Wed, Jan 5, 2022 6:16am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  They do! They also don't (can't) contain any identifying information at this stage in the flow. The only risk in sharing these screenshots is if you share them within like 10 minutes of seeing it, and then the "attacker" can log in their account to your TV so 🤷‍♂️
  
  Wed, Jan 5, 2022 6:10am +00:00 (via brid.gy)
- 👉😎👉 Jay Phelps twitter.com/_jayphelps
  
  I thought the exact same thing but was too lazy to get my laptop out so I could scan the pictures with my phone to check if they indeed contain the unique code too or just the same generic URL 😂 in case it wasn’t obvious they’re not my screenshots. Hopefully the codes expire.
  
  Wed, Jan 5, 2022 6:07am +00:00 (via brid.gy)

Posted in /replies using indigenous.abode.pub/ios