Just a little example of what you can accomplish in D with compile-time reflection and compile-time function execution (CTFE)
I was searching for websites with job postings, like Monster or CareerBuilder, I came across one called Dice which I decided to give a try. When I signed up, I used my personal email. I have a different email which I use for work and school which I wanted to switch to. It was simple enough:
- Login to your account
- Open up User settings
- Type in a new email address
- Click Apply
You don’t have to type in your password and there’s no confirmation email; the change is made immediately. You may already see where I’m going with this.
Changing the password requires one to type in your old password. However, resetting the password only requires one to click a verification link sent to the email associated with the account.
Furthermore, the login is the email address associated with the account.
Put it all together, all somebody needs is access to your account (left an open session on a public PC or a hacker obtained a cookie off your PC). Then they can change your email address and reset the password. The user never receives any kind of confirmation email. So any tech-savvy person can easily (and stealthily) hijack your account. Even worse, because the email address has changed, your login has changed as well. To a novice user, it may appear that their account has simply disappeared. A more savvy user may have figured out their account was hijacked, but there’s no simple procedure for recovering an account. So one would have to contact tech support and possibly wait a day or more to recover their account.
Dumb security at its finest. Given the blunders that have fallen services like LinkedIn, you’d think other major web services would have caught on by now and tightened security. Unfortunately, that is not the case.