They're in ur browzer, refrrring your sitez! September 30, 2008 4:06 AM   Subscribe

So, suffering a bout of insomnia, I find myself browsing /. and find this little morsel, pointing at an article here.

I searched the site for 'cross-site request forgery' and found nuthin'.

So, great, benevolent admins -- what gives? Can you elucidate on the issue and/or the fix? It's not a big deal, just surprised at seeing the blue called out elsewhere regarding a (patched) vulnerability and was surprised not to see any mention of it here.

Then again, it's wicked late and I'm a little stoopid - may have missed the news...
posted by drfu to MetaFilter-Related at 4:06 AM (27 comments total)

More information.
Full PDF

Thanks to Matt and pb for recognising the importance of these things and getting them sorted so quickly.
posted by NinjaTadpole at 4:22 AM on September 30, 2008


Hey I just saw that too - were you checking to see if your less than AA rated ING account was vulnerable, like I was?

How about bank.metafilter.com - could be a safer option? Couldn't be less safe than the alternatives.
posted by strawberryviagra at 4:37 AM on September 30, 2008


this is why we can't have nice thi... er, IMG tags.
posted by yeoz at 4:59 AM on September 30, 2008


Dudes, you're totally missing the main thing... we're on the same level as The New York Times, YouTube and ING. I believe a round of back-patting is in order. Oh, and here's what actually was wrong with MetaFilter: "The bug on the MetaFilter blogging site let an attacker set a user’s email address to the attacker’s, and then basically take over the victim’s account." Wasn't that one of these things dhoyt did?
posted by Kattullus at 5:13 AM on September 30, 2008


Oh wait... no... dhoyt took over that account he took over by bombarding it with password requests, if I remember correctly.
posted by Kattullus at 5:14 AM on September 30, 2008


NinjaTadpole: "Thanks to Matt and pb for recognising the importance of these things and getting them sorted so quickly."

This came up on MeTa in October 2006, and Matt made a lot of changes in response, but not before it was exploited grey-hat style. On the other hand, if things were entirely sorted out, we'd have IMG tags again.
posted by Plutor at 5:39 AM on September 30, 2008


Oh wait... no... dhoyt took over that account he took over by bombarding it with password requests, if I remember correctly.

I thought that was Pretty Generic, or a guy Pretty Generic met in a chatroom.
posted by Lentrohamsanin at 5:41 AM on September 30, 2008


Wait, img tags were banned as a security thing? I thought it was just that they were obnoxious. (Hilarious. But obnoxious.)
posted by DU at 5:46 AM on September 30, 2008 [1 favorite]


This thread.
posted by smackfu at 5:59 AM on September 30, 2008


No, DU, the official line is img was banned because of the security risk. It'd be interesting to see if we got it back if it was fixed.
posted by sveskemus at 6:23 AM on September 30, 2008


We've always been at war with IMGeania.
posted by DU at 6:25 AM on September 30, 2008


RIP IMG TAG
February 25, 1993 - October 22, 2006
posted by Plutor at 6:31 AM on September 30, 2008 [2 favorites]


Wasn't the essential argument that the IMG tag could not be fixed, period, and so the only way to fix it would be for MeFi to host all the images locally?
posted by smackfu at 6:41 AM on September 30, 2008


"This came up on MeTa in October 2006, and Matt made a lot of changes in response, but not before it was exploited grey-hat style."
Indeed, on the same day that it was highlighted and exploited, it was fixed. Which is pretty quick, isn't it?

I miss PG and his elfen trickses.
posted by NinjaTadpole at 7:23 AM on September 30, 2008


Oh wait... no... dhoyt took over that account he took over by bombarding it with password requests, if I remember correctly.

No, dhoyt just took over several accounts by signing up for them.
posted by cortex (staff) at 7:37 AM on September 30, 2008 [3 favorites]


This explains all idiotic comments I have ever made.
posted by Rumple at 9:03 AM on September 30, 2008


This is the oldest img comment, and this is the oldest one still working.
posted by Plutor at 9:49 AM on September 30, 2008


Freedom to Tinker:
(MetaFilter fixed this vulnerability in less than two days. We appreciate the fact that MetaFilter contacted us to let us know the problem had been fixed.)
Not that anyone here is surprised that the admins are on the ball, but nonetheless a kudos is in order!
posted by Lemurrhea at 10:30 AM on September 30, 2008


Yay, null terminated!

Not that anyone here is surprised that the admins are on the ball, but nonetheless a kudos is in order!

When Bill first showed me the exploit, I freaked. Me and pb had a temp fix ready in about an hour that we released to prevent the contacts exploit. Over the next two days we completely revamped site security here, doing work we had been putting off for a year or two. It was casually mentioned a year or two back in MetaTalk when we changed the password retrieval and added the https://login server encryption. But basically we completely rewrote the user authentication system with security in mind and Bill's work was kind of the straw that broke the camel's back in that regard and I want to thank him for kicking us in the butt and making us bring the site up to date. I think all told the project eventually took another two weeks to finish and work all the bugs out, but it really enabled us to do a million other things thanks to the solid base we had to build off of.
posted by mathowie (staff) at 10:45 AM on September 30, 2008


Wait, weren't pretty Pretty_Generic and dhoyt the same person? This is so damn hard to keep straight.
posted by Kattullus at 11:20 AM on September 30, 2008


All the site spammers are the same person. I blame cloning. And PayPal.
posted by Cranberry at 11:29 AM on September 30, 2008


Wait, weren't pretty Pretty_Generic and dhoyt the same person? This is so damn hard to keep straight.

God help us if that were so. No.
posted by cortex (staff) at 12:05 PM on September 30, 2008


I felt bad bringing MetaFilter into this, but I'd glad I could help bring the security up to speed. Obviously MetaFilter shouldn't be held to the same standard as ING, but Matt actually took care of the problem much more quickly than any of the other sites. I hope my comment "(MetaFilter fixed this vulnerability in less than two days. We appreciate the fact that MetaFilter contacted us to let us know the problem had been fixed.)" didn't come off as too passive-aggressive.
posted by null terminated at 1:23 PM on September 30, 2008


(I mean "passive-aggressive" in the sense that none of the other sites contacted us when they had fixed the problems)
posted by null terminated at 1:25 PM on September 30, 2008


Yeah, I read it as Genuinely Appreciate The Responsiveness, not some backhanded thing or whatever.
posted by cortex (staff) at 1:36 PM on September 30, 2008


Awesome job guys. I just came to MetaTalk after noticing that Slashdot article to ask this very question, and here it's all fixed and fully disclosed and stuff. Now to check on my new ING account...
posted by odinsdream at 4:47 PM on September 30, 2008


Today at CNET News.com -- Researchers find security holes in NYT, YouTube, ING, MetaFilter sites -- "Attackers could have used vulnerabilities on several Web sites to compromise people's accounts, allowing them to steal money, harvest e-mail addresses, or pose as others online."
posted by ericb at 5:12 PM on October 2, 2008


« Older klang, klang, klang went the trolley....   |   Down with slurp. Newer »

You are not logged in, either login or create an account to post comments