This Gawker Thing
-
@pbean said:
I know this is completely off-topic but the talk about encryption and such kind of made me wonder... whatever happened to morbs? I haven't seen him around here for quite a while... If I look at his profile, it says his last post was in July? I'm worried.
He was posting in a thread the other day - I was also surprised to see him back. Don't trust CS's date-keeping mechanisms.
-
@The_Assimilator said:
He was posting in a thread the other day
You are mistaken, I'm afraid. You saw an old post in a spamrezzed thread.
-
-
@da Doctah said:
[quote user="HighlyPaidContractor"]
Try building a profile of yourself based on the targetted spam you recieve. I'm a geriatric single-mom with erectile dysfunction.
I'm apparently a Russian looking for a work-from-home data entry gig.
[/quote]Somehow I'm a prescription drug addict who collects fine watches.
-
@MiffTheFox said:
@da Doctah said:
@HighlyPaidContractor said:
Try building a profile of yourself based on the targetted spam you recieve. I'm a geriatric single-mom with erectile dysfunction.
I'm apparently a Russian looking for a work-from-home data entry gig.
Somehow I'm a prescription drug addict who collects fine watches.
I have a lot of lady friends sending me messages on Facebook.
-
@HighlyPaidContractor said:
Try building a profile of yourself based on the targetted spam you recieve.
I... don't get spam.
Seriously. I don't know if it's because my email is on my own domain or what but my spam box only ever has false positives in it.
-
@Thief^ said:
@HighlyPaidContractor said:
Try building a profile of yourself based on the targetted spam you recieve.
I... don't get spam.
Seriously. I don't know if it's because my email is on my own domain or what but my spam box only ever has false positives in it.
So, what you're saying is... your spam is telling you that you don't exist.
-
@serguey123 said:
...yes the response is retarded, yes your password was not leaked off, but you see people are retarded, how much do you want to bet that people use stupid passwords that can be guessed from their email address and whatnot.
And how long do you think we should be required as developers, admins, etc. to keep coddling people from their own stupidity? Eternal September isn't going to end until we stop holding everyone's hand.
-
Great summary of the whole affair: http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/
Here's a challenge: count the WTFs. (Telling line in article: "What Could Gawker Have Done Differently? Everything.")
-
@Master Chief said:
@serguey123 said:
...yes the response is retarded, yes your password was not leaked off, but you see people are retarded, how much do you want to bet that people use stupid passwords that can be guessed from their email address and whatnot.
And how long do you think we should be required as developers, admins, etc. to keep coddling people from their own stupidity? Eternal September isn't going to end until we stop holding everyone's hand.
The problem is that much of what we do is black magic to the average Joe. Is hard not to be seen as stupid outside of your element. I agree that users should get a clue but at the same time you should not need a Uni degree to use a website. I mean, do you want to read a 200 pages manual to operate your microwave? I guess not, what we need is to make it look easy in the outside, make it good in the inside. Usability is as important as security.
A retarded website like this should have a authentication mechanism that is good enough to prevent spam and stolen information and easy enough not to burden the user that only wants to make a moronic comment. Security should be as good as the information that is guarding.
A dilemma right?
In conclusion, they should not have resetted the password then, that is only publicity telling "we care", although they should prompt the users to reset their password now and then.
-
@blakeyrat said:
Great summary of the whole affair: http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/
Here's a challenge: count the WTFs. (Telling line in article: "What Could Gawker Have Done Differently? Everything.")
Now, the only thing we need is an insider and we got ourselves an article here.
-
So... They had a break-in and somebody stole 50,000 email addresses. They respond by publishing the complete list of addresses so you can "check" your email address was stolen?
"Here blackhats, here's the whole list of emails we have; did you miss any when you were stealing them?" WTF indeed.
-
@Qwerty said:
So... They had a break-in and somebody stole 50,000 email addresses. They respond by publishing the complete list of addresses so you can "check" your email address was stolen?
Uh... not sure what article you're reading.
The database dump had 1.3 *million* user records. (There were 1.5 million in total, but they stopped the dump at 1.3.) From those, they decrypted 200,000 passwords (before distributing the database dump to the public.) Where does the 50,000 number come from?
Gawker never released their complete list of addresses, but it didn't matter since the hackers already had.
-
@serguey123 said:
The problem is that much of what we do is black magic to the average Joe. Is hard not to be seen as stupid outside of your element. I agree that users should get a clue but at the same time you should not need a Uni degree to use a website. I mean, do you want to read a 200 pages manual to operate your microwave? I guess not, what we need is to make it look easy in the outside, make it good in the inside. Usability is as important as security.
A retarded website like this should have a authentication mechanism that is good enough to prevent spam and stolen information and easy enough not to burden the user that only wants to make a moronic comment. Security should be as good as the information that is guarding.
A dilemma right?
In conclusion, they should not have resetted the password then, that is only publicity telling "we care", although they should prompt the users to reset their password now and then.
Sorry for the confusion, but I was merely commenting on password policies, not the situation Blakyrat found himself in. Frankly I agree with everything they did, storing passwords in a retrievable format is absolutely stupid, but whats done is done, and blanketing everyone who had data leaked versus who they thought had a password leaked is a very good idea, IMO.
My problem is that passwords are nothing new. People should know how to set a proper one without us having to hold their hands into doing it. And if corporate secrets are stolen, or Government secrets leaked, or their identity is stolen because they like to use "password" as a password, then they should be held responsible for not properly securing their stuff.
If someone doesn't lock their house, they have no reason to complain when someone walks off with their belongings. If you leave your car unlocked and running all day in the parking lot, you have no space to bitch when someone drives it away. Why is it computers are so different from anything else?
-
@blakeyrat said:
(There were 1.5 million in total, but they stopped the dump at 1.3.)
Oh well thank God. You know I think at that point, stopping an attack is rather moot. Kinda like, your barn got broken into and they got all the prized stallions, but hey, you saved the feed bags.
-
@Master Chief said:
@blakeyrat said:
(There were 1.5 million in total, but they stopped the dump at 1.3.)
Oh well thank God. You know I think at that point, stopping an attack is rather moot. Kinda like, your barn got broken into and they got all the prized stallions, but hey, you saved the feed bags.
The hacker's read me gave the impression they only stopped at 1.3 million because the dump was taking a long time and they got bored with it.
That Forbes article had a funny line, about the code theft. Paraphrased: "with the source code, hackers can find more exploits to use in the future, but it's unclear whether there's anything left to take."
-
@Master Chief said:
@serguey123 said:
The problem is that much of what we do is black magic to the average Joe. Is hard not to be seen as stupid outside of your element. I agree that users should get a clue but at the same time you should not need a Uni degree to use a website. I mean, do you want to read a 200 pages manual to operate your microwave? I guess not, what we need is to make it look easy in the outside, make it good in the inside. Usability is as important as security.
A retarded website like this should have a authentication mechanism that is good enough to prevent spam and stolen information and easy enough not to burden the user that only wants to make a moronic comment. Security should be as good as the information that is guarding.
A dilemma right?
In conclusion, they should not have resetted the password then, that is only publicity telling "we care", although they should prompt the users to reset their password now and then.
Sorry for the confusion, but I was merely commenting on password policies, not the situation Blakyrat found himself in. Frankly I agree with everything they did, storing passwords in a retrievable format is absolutely stupid, but whats done is done, and blanketing everyone who had data leaked versus who they thought had a password leaked is a very good idea, IMO.
My problem is that passwords are nothing new. People should know how to set a proper one without us having to hold their hands into doing it. And if corporate secrets are stolen, or Government secrets leaked, or their identity is stolen because they like to use "password" as a password, then they should be held responsible for not properly securing their stuff.
If someone doesn't lock their house, they have no reason to complain when someone walks off with their belongings. If you leave your car unlocked and running all day in the parking lot, you have no space to bitch when someone drives it away. Why is it computers are so different from anything else?
As I said, security is not a black/white thing. The level of security needed to protect something is directly proportional to how important that thing is.
You can enforce strong passwords and people will still pick dumb passwords or use super strong ones and tape them to the monitor.
I see two scenarios for them
- Security is unimportant for them, if so TRWTF is that they try to make people believe they care becoming hypocritical after the PR nightmare.
- Security is important, if so TRWTF is that they were incompetent, lazy and complacient,got punished for it and expected a different outcome.
BTW, strong passwords that we need to remember are not the holy grail. We should do better as well.
I'll be sending you that 200 pages manual for the screwdriver you just ordered.
-
@serguey123 said:
As I said, security is not a black/white thing. The level of security needed to protect something is directly proportional to how important that thing is.
You can enforce strong passwords and people will still pick dumb passwords or use super strong ones and tape them to the monitor.
I see two scenarios for them
- Security is unimportant for them, if so TRWTF is that they try to make people believe they care becoming hypocritical after the PR nightmare.
- Security is important, if so TRWTF is that they were incompetent, lazy and complacient,got punished for it and expected a different outcome.
BTW, strong passwords that we need to remember are not the holy grail. We should do better as well.
I'll be sending you that 200 pages manual for the screwdriver you just ordered.
I disagree, I think everything should be secured the same, because of what was brought up earlier, that people use the same emails and password combinations across multiple sites. But, I also think that, in the event they get that login info stolen, the website shouldn't be held responsible, the user should.
-
@Master Chief said:
I disagree, I think everything should be secured the same, because of what was brought up earlier, that people use the same emails and password combinations across multiple sites. But, I also think that, in the event they get that login info stolen, the website shouldn't be held responsible, the user should.
Urgh, in this specific case, the website people were clearly incompetent.
Also this beg the question have you ever designed a security solution?, I have. The point of every system is cost/benefits, because every information is unsecure, what you can do at most is act as a deterrent. How much is the information worth? How much are you willing to expend to protect it? How much is someone willing to expend to steal it from you?
Then you act accordingly.
If the user uses the same password for a compromised system, the user is liable. If the company makes an unsecure system, the company is liable.
In this case if the company did not implement adequate security measures, saw sign of hacking and did not act on them, then the company is liable no matter how retarded the users are.
It takes two to tango. I agree that users don't make the best choices ever, but neither companies. What I think is that we need to implement better security models because frankly I don't think users will ever be fully aware of the security issues and we should not expect them to become security experts.
-
@Master Chief said:
If someone doesn't lock their house, they have no reason to complain when someone walks off with their belongings. If you leave your car unlocked and running all day in the parking lot, you have no space to bitch when someone drives it away.
Those are still crimes. In fact, the town I grew up in nobody locked their doors or their cars. Although I'm not so sure it that way any more.
-
@frits said:
@Master Chief said:
If someone doesn't lock their house, they have no reason to complain when someone walks off with their belongings. If you leave your car unlocked and running all day in the parking lot, you have no space to bitch when someone drives it away.
Those are still crimes. In fact, the town I grew up in nobody locked their doors or their cars. Although I'm not so sure it that way any more.
I didn't lock my doors until recently, when some kids from the high school (2 blocks away) got into my garage and spray-painted the walls. They didn't really damage anything (just cardboard walls, not painted or anything), and they didn't take anything, so it still wasn't a big deal. But I put a padlock on it after that, and started locking my house.
-
@pbean said:
I know this is completely off-topic but the talk about encryption and such kind of made me wonder... whatever happened to morbs? I haven't seen him around here for quite a while... If I look at his profile, it says his last post was in July? I'm worried.
IIRC the best way to rouse morbs is to revive a thread many days after its last post ^^
-
Turns out Gawker has a CTO: http://www.poynter.org/latest-news/romenesko/111549/gawker-tech-team-didnt-adequately-secure-our-platform/. God-knows what the guy did before last week, apparently he spent 40 hours a week playing WOW or something.
He doensn't address anything specifically, like their failure to use a decent hash + salt for passwords. He does briefly mention that all their employees had awful passwords. It's pretty content-less other than saying they've regained control of their third-party accounts, and people need to reconfigure their Gmail accounts.
-
@blakeyrat said:
Turns out Gawker has a CTO: http://www.poynter.org/latest-news/romenesko/111549/gawker-tech-team-didnt-adequately-secure-our-platform/. God-knows what the guy did before last week, apparently he spent 40 hours a week playing WOW or something.
"we have never been afraid to take an unpopular or controversial stance with regard to individuals or organizations"He doensn't address anything specifically, like their failure to use a decent hash + salt for passwords. He does briefly mention that all their employees had awful passwords. It's pretty content-less other than saying they've regained control of their third-party accounts, and people need to reconfigure their Gmail accounts.
OK. That's fine. But maybe saying things like "Bring It On 4Chan, Right to My Home Address" isn't such a good idea after all.
-
I've always been of the opinion that users shouldn't have to know or care the site is running PHP. So why have it specified in the URL? The first thing I always do when cleaning up a codebase is strip all those pesky extra characters from links and configure the server so they aren't needed.
Likewise, why should the homepage for coolsite.com be coolsite.com/index.omgwtfbbq and not just coolsite.com?
-
I've always been of the opinion that users shouldn't have to know or care the site is running PHP. So why have it specified in the URL? The first thing I always do when cleaning up a codebase is strip all those pesky extra characters from links and configure the server so they aren't needed.
Likewise, why should the homepage for coolsite.com be coolsite.com/index.omgwtfbbq and not just coolsite.com?
-
@MarkJ said:
I ran into an app at my new job that stores passwords in the clear and displays them in the UI. However, they really had to work at it. The site is an ASP.Net 4.0 site, and uses Microsoft's membership libraries to manage users. With this library and just a few settings and a few seconds of work, you can do everything right. However, they wrote their own stored procedures around Microsoft's database structure, managing to make them vulnerable to SQL injection in the process. They also changed the encryption setting from the default (hash with salt) to clear text.@Tessellated Cheese said:
If you think that's bad...And they apparently encrypted the damn password, rather than salting and hashing them, the morons.There's the WTF.
I asked our corporate travel website to retrieve my password. They emailed it to me - in the clear!
-
@blakeyrat said:
In case you haven't already received 40 bajillion emails from this, Gawker blog network (motto: single-handedly convincing society that blogs are lousy journalism) had their login database stolen, including emails and passwords.
[horror story where everyone else took the database and if they found your email in their own account system, tried to force you to change your password there, too.]
This makes me glad i have never created an account on Gawker.
-
@serguey123 said:
@blakeyrat said:
@serguey123 said:
Blakeyrat, cool off man,
Sorry for being "uncool", but I use a handle on this site for a reason. Don't be an asshole.I'd appreciate it if a mod could remove my name there.
Remove it myself, sorry about that, but if you want to remain anonymous, you should really check what you put on those webforms, it takes like 1 minute of googling, I thought you were aware that pretty much everybody can know who you are if they care, FYI, my handle is my name except for the numbers so...
Given that he's previously provided links to multiple other sites where he's used his real name, he probably is well aware that people can find out who he is. You crossed a line there. Good for you, fixing your mistake, but it was still an asshole thing to do.
-
@FrostCat said:
@serguey123 said:
TRWTF is necroing this thread after 3 years, thanks to signature guy sending replies to random posts.@blakeyrat said:
@serguey123 said:
Blakeyrat, cool off man,
Sorry for being "uncool", but I use a handle on this site for a reason. Don't be an asshole.I'd appreciate it if a mod could remove my name there.
Remove it myself, sorry about that, but if you want to remain anonymous, you should really check what you put on those webforms, it takes like 1 minute of googling, I thought you were aware that pretty much everybody can know who you are if they care, FYI, my handle is my name except for the numbers so...
Given that he's previously provided links to multiple other sites where he's used his real name, he probably is well aware that people can find out who he is. You crossed a line there. Good for you, fixing your mistake, but it was still an asshole thing to do.
However, I learned something from this. I found out who blakey is, and that he does not live in the same city I do; he lives in the next city over. I also learned that Network Solutions is willing to sell me the domain ratsmating.com. For only $475. Uh, no thanks.
-
@HardwareGeek said:
@FrostCat said:
@serguey123 said:
TRWTF is necroing this thread after 3 years, thanks to signature guy sending replies to random posts.@blakeyrat said:
@serguey123 said:
Blakeyrat, cool off man,
Sorry for being "uncool", but I use a handle on this site for a reason. Don't be an asshole.I'd appreciate it if a mod could remove my name there.
Remove it myself, sorry about that, but if you want to remain anonymous, you should really check what you put on those webforms, it takes like 1 minute of googling, I thought you were aware that pretty much everybody can know who you are if they care, FYI, my handle is my name except for the numbers so...
Given that he's previously provided links to multiple other sites where he's used his real name, he probably is well aware that people can find out who he is. You crossed a line there. Good for you, fixing your mistake, but it was still an asshole thing to do.
However, I learned something from this. I found out who blakey is, and that he does not live in the same city I do; he lives in the next city over. I also learned that Network Solutions is willing to sell me the domain ratsmating.com. For only $475. Uh, no thanks.
Oops. Well, it's his fault, not mine, for necroing the thread. I mean, how far back up the post chain should i look at the dates?
-
@FrostCat said:
@serguey123 said:
Gosh, his real name? You guys will never figure mine out.@blakeyrat said:
@serguey123 said:
Blakeyrat, cool off man,
Sorry for being "uncool", but I use a handle on this site for a reason. Don't be an asshole.I'd appreciate it if a mod could remove my name there.
Remove it myself, sorry about that, but if you want to remain anonymous, you should really check what you put on those webforms, it takes like 1 minute of googling, I thought you were aware that pretty much everybody can know who you are if they care, FYI, my handle is my name except for the numbers so...
Given that he's previously provided links to multiple other sites where he's used his real name, he probably is well aware that people can find out who he is. You crossed a line there. Good for you, fixing your mistake, but it was still an asshole thing to do.
-
@Jaime said:
I ran into an app at my new job that stores passwords in the clear and displays them in the UI.
Where I work, for reasons that have never been explained to me, users are unable to change their own LDAP passwords. It is necessary to file an IT ticket to have an administrator change them. I don't remember exactly why I had to have mine changed, but I think it had something to do with the IT FUBAR when I transitioned from contractor to employee. Anyway, the clueless offshore IT droid informed me of my new password by posting it as a comment on the ticket, where it would (and does) remain visible to every employee in the company for all time.Of course I immediately had it changed again. This time she only sent it to me in plain-text email. She evidently completely missed the concept of strong passwords – short and all lower-case letters. At least it wasn't a word – in English. It was pronounceable, so it could very well have been a word in some other language.
-
@HardwareGeek said:
@Jaime said:
I ran into an app at my new job that stores passwords in the clear and displays them in the UI.
Where I work, for reasons that have never been explained to me, users are unable to change their own LDAP passwords. It is necessary to file an IT ticket to have an administrator change them. I don't remember exactly why I had to have mine changed, but I think it had something to do with the IT FUBAR when I transitioned from contractor to employee. Anyway, the clueless offshore IT droid informed me of my new password by posting it as a comment on the ticket, where it would (and does) remain visible to every employee in the company for all time.Of course I immediately had it changed again. This time she only sent it to me in plain-text email. She evidently completely missed the concept of strong passwords – short and all lower-case letters. At least it wasn't a word – in English. It was pronounceable, so it could very well have been a word in some other language.
At my job, passwords expire every 60 days, and you don't get to make them up. There's a web interface that shows you a list of equally meaningless jumbles of letters and numbers and you have to pick one off the list. At least you do if you don't figure out that you can save the hash from the value attribute of the checkbox and use Firebug to set it to the same thing it was 60 days ago; but no one would ever figure that out.
-
@joe.edwards said:
Gosh, his real name? You guys will never figure mine out.
I bet it's Mike
\
-
@joe.edwards said:
Gosh, his real name? You guys will never figure mine out.
Is it Lorne?
-
@joe.edwards said:
Gosh, his real name? You guys will never figure mine out.
I know! It's Bob. MS Bob.
-
@HardwareGeek said:
@joe.edwards said:
Gosh, his real name? You guys will never figure mine out.
I know! It's Bob. MS Bob.That's his maiden name.
Also, who's the asshole who put a logout bomb on this page?
-
@Lorne Kates said:
I could be wrong, but I think it's on the Google Indexing page, and I think it's the guy who asked, "What happens if I do this?"Also, who's the asshole who put a logout bomb on this page?
-
@HardwareGeek said:
@Lorne Kates said:
Yes. In the "Google Indexing" thread, the last post by SamC contains this wonderful bit of html, which demonstrates a new level of Community Server retardedness that may not have been seen before:Also, who's the asshole who put a logout bomb on this page?
I could be wrong, but I think it's on the Google Indexing page, and I think it's the guy who asked, "What happens if I do this?"<img<font color="#FFFFFF">_</font><font color="#FFFFFF"></font>src="http://forums.thedailywtf.com/logout.aspx">
(I put an invisible underscore between img and src so I didn't create another logout bomb)
-
@blakeyrat said:
@serguey123 said:
And so do I. I've used a "handle" everywhere I've even been online since I went to Radio Shack and bought a 300 baud modem in 1985. And, just like you, I own a domain name that is my real last name.Blakeyrat, cool off man,
Sorry for being "uncool", but I use a handle on this site for a reason.
However, unlike you, I don't post pictures here (or anywhere) that are hosted on the domain that is the same as my real name. And I don't have a blog that contains my real name (and the handle used here). I'm not going to say that it would be impossible for someone to find my real name, but it would be quite a bit harder than the 3.2 milliseconds it takes to find yours.
Given all that, I think it's a lttle ridiculous to get upset over something like this. I've seen other people react the same way and I've always found it puzzling. You don't walk around in public wearing a shirt with your name on it and then get mad when strangers call you by your name.
-
@El_Heffe said:
Yes. In the "Google Indexing" thread, the last post by SamC contains this wonderful bit of html, which demonstrates a new level of Community Server retardedness that may not have been seen before:
<img<font color="#FFFFFF">_</font><font color="#FFFFFF"></font>src="http://forums.thedailywtf.com/logout.aspx">
(I put an invisible underscore between img and src so I didn't create another logout bomb)
Ah, didn't realize I had that thread open in another tab.
I have to admit, given it 5 minutes of thought and off the top of my head, I'm not sure how one would prevent this sort of logout bomb. Umm-- maybe put a GUID in the user's session, then go to logout.aspx?token={guid}... and only do the logout if Querystring[token] == Session[logout_token]?
-
@Lorne Kates said:
@El_Heffe said:
Yes. In the "Google Indexing" thread, the last post by SamC contains this wonderful bit of html, which demonstrates a new level of Community Server retardedness that may not have been seen before:
<img<font color="#FFFFFF">_</font><font color="#FFFFFF"></font>src="http://forums.thedailywtf.com/logout.aspx">
(I put an invisible underscore between img and src so I didn't create another logout bomb)
Ah, didn't realize I had that thread open in another tab.
I have to admit, given it 5 minutes of thought and off the top of my head, I'm not sure how one would prevent this sort of logout bomb. Umm-- maybe put a GUID in the user's session, then go to logout.aspx?token={guid}... and only do the logout if Querystring[token] == Session[logout_token]?
Require HTTP POST for URLs with side effects.
-
@joe.edwards said:
Require HTTP POST for URLs with side effects.
That would be the proper solution if HTTP/HTML were sane standards. But it turns out any page can do a <form action="http://forums.thedailywtf.com/logout.aspx" method="post"> and submit it via javascript. So yes, every site requires a secret user session token to be sent with every important request ever. Or checking the referer header, but apparently that's unreliable.
That's what I understood from the Wikipedia page anyways.
-
@anonymous235 said:
@joe.edwards said:
Require HTTP POST for URLs with side effects.
That would be the proper solution if HTTP/HTML were sane standards. But it turns out any page can do a <form action="http://forums.thedailywtf.com/logout.aspx" method="post"> and submit it via javascript. So yes, every site requires a secret user session token to be sent with every important request ever. Or checking the referer header, but apparently that's unreliable.
That's what I understood from the Wikipedia page anyways.
The attack discussed is simply <img src="[bad url]">; if you have an XSS vulnerability, there are all sorts of bad things you can do. XSRF is what that link is about, and that would involve getting you to a site the attacker controls first (not difficult, people do follow links).
-
@Lorne Kates said:
I have to admit, given it 5 minutes of thought and off the top of my head, I'm not sure how one would prevent this sort of logout bomb. Umm-- maybe put a GUID in the user's session, then go to logout.aspx?token={guid}... and only do the logout if Querystring[token] == Session[logout_token]?
Another site I frequent simply uses something like /logout?user=[userid] instead of a guid. Less work than using a separate token and almost as secure. They implemented this parameter because of links to the logout page either obfuscated via something like tinyurl or IMG SRC on other pages. (That forum was custom built and did not allow HTML)
-
@Zemm said:
@Lorne Kates said:
I have to admit, given it 5 minutes of thought and off the top of my head, I'm not sure how one would prevent this sort of logout bomb. Umm-- maybe put a GUID in the user's session, then go to logout.aspx?token={guid}... and only do the logout if Querystring[token] == Session[logout_token]?
Another site I frequent simply uses something like /logout?user=[userid] instead of a guid. Less work than using a separate token and almost as secure. They implemented this parameter because of links to the logout page either obfuscated via something like tinyurl or IMG SRC on other pages. (That forum was custom built and did not allow HTML)
With modern technology, we can produce an image that logs Ronald out of the forum.
-
@Lorne Kates said:
I have to admit, given it 5 minutes of thought and off the top of my head, I'm not sure how one would prevent this sort of logout bomb.
At the risk of displaying my complete stupdity, there seems to be two problems. First, is CS being horrendously broken. Seriously, how in the holy fucking shit do you allow a non-image in an image tag and not put up a message that says "Hey you can't do that". But, in all fairness, I guess we can't be too hard on CS, because, what about browsers? If a browser is parsing a page and encounters an image tag that doesn't contain an image, and it just proceeds with processing the url, isn't that a huge security flaw? Couldn't you use that for something more malicious that just logging people out?@Ben L. said:With modern technology, we can produce an image that logs Ronald out of the forum.
OK, that would be pretty cool.
-
@El_Heffe said:
But, in all fairness, I guess we can't be too hard on CS, because, what about browsers? If a browser is parsing a page and encounters an image tag that doesn't contain an image, and it just proceeds with processing the url, isn't that a huge security flaw? Couldn't you use that for something more malicious that just logging people out?
The reason browsers can't fix that is that they don't KNOW if a URL is an image until they request it and parse the response. By that time, community server has already told your browser to delete the auth cookies and you're screwed. Even preventing GET requests from working on the logout page would stop that.
-
@Ben L. said:
The reason browsers can't fix that is that they don't KNOW if a URL is an image until they request it and parse the response.
WTF? OK, I know that I am stupid and insane but that's the craziest thing I ever heard of.- Website sends html to browser
- Browser parses the html and sees <img src="some url.aspx">
- Browser says "WHOA!! .aspx is not an image!! I'm not going to request that url!!"
You actually can't do that? My mind is blown once again.
