ok, can anyone explain to me the security risk of having someone's hashed password? considering when sent to the webserver, it'll be hashed and compared against the one from the database.
so ok, say you have the hash, you send it, it'll make a hash of a hash and it'll wrongly compare to the database, therefore preventing anyone from accessing the account.
it's only sites which access passwords without transformation which are in problems afaik. maybe I am wrong, but thats the way I see it.
also, what kind of website returns to the browser an entire user row from the database including that information in order to harvest it? I mean, dont we all accept the username+password, store the memberid (primary key row id) into the session and THATS it. Only in the client area do you show the rest. So, the only way you could extract that information, is if it's being transmitted in the first place, in some way, if you dont transmit, you can't copy. Simple, right?
so what they hell were they doing at Spotify????