You are viewing eevee

Back | Forwards

Known (to me) FA vulnerabilities

deal w/ it, sassy
Lots of people have told me—with some disdain—that I should be reporting vulnerabilities. These people have sort of missed the point, insofar as I had one:
(a) FA does not consider security issues to be a high priority. Old, well-known exploits still exist, and are never fixed. New ones are still being created, and there's nothing in place to try to catch them. Most of the big FA crises in the past were easy to see coming.
(b) FA has a lot of security issues. And continues to expose its userbase to them. The users should probably be mad about that.

But hey, okay. Here's everything I know about, ranked by how easy it is to exploit. means it's technically possible, but scarcely worth the effort unless someone is super angry. means I could be doing it to you as you read this paragraph. (No, I'm not.) Severity is up to you.

This information alone is not enough to inflict damage.

Let's get CSRF out of the way, because it's almost cheating. And yes, this is including the fixes from this weekend:
An attacker can trick a user into watching any other user.
An attacker can trick a user into unwatching any other user.
An attacker can trick a user into faving any submission.
An attacker can trick a user into unfaving any submission.
An attacker can trick a user into posting any submission.
An attacker can trick a user into posting any journal.
An attacker can trick a user into creating any number of dummy submissions.
An attacker can trick a user into replacing the content of any of that user's submissions.
An attacker can trick a user into changing the description of any of that user's submissions.
An attacker can trick a user into changing any of that user's journals.
An attacker can trick a user into deleting any submission the user owns.
An attacker can trick a user into deleting any journal the user owns.
An attacker can trick a user into deleting any combination of shouts on that user's page.
An attacker can trick a user into making any comment on any journal or submission.
An attacker can trick a user into making a dummy comment on any journal or submission.
An attacker can trick a user into posting any shout on any other user's userpage.
An attacker can trick a user into hiding any comment the user is allowed to hide.
An attacker can trick a user into logging out.
An attacker can trick a user into changing that user's profile text and metadata.
An attacker can trick a user into changing that user's avatar.
An attacker can trick a user into replacing that user's existing avatars.
An attacker can trick an admin into exercising any administrative powers.
There's also a meta-exploit which would allow creating a socially-replicating worm, fairly untraceable, not requiring persistent hosting outside FA, and capable of doing any of the above.

Others:
An attacker can steal user passwords over open wifi (such as that at furry conventions).
An attacker can steal user sessions over open wifi (such as that at furry conventions).
An attacker can log out every logged-in user and prevent anyone else from logging in, including administrators.
Banned users can hide comments they would otherwise be able to hide.
Banned users can post comments on journals.
Blocked users can reply to comments on the blocker's submissions and journals.
Meta: read-only and admin mode are kind of worthless. They didn't stop the escalation exploit on Friday, and they didn't stop the PHP execution vulnerability I witnessed first-hand many years ago.


There are several parts of the site I've just never used, so I don't claim that this is exhaustive. (I've never used trouble tickets, for example, and that would be a great place for an exploit; direct guaranteed audience with an admin.)

If I missed anything, please let me know. If you think any of the above make it obvious what the exploits are to someone who wouldn't already know, definitely let me know and I'll try to be more vague.

I will happily explain, to any FA admin who asks, how any of these work and how to prevent them. But it is not my responsibility to chase people down and try to make them care.


There are very many combinations of attacks that would let a single person destroy the entire site.

Also I hear something about a $50 bug bounty.

Comments

inaki
Oct. 18th, 2010 07:39 am (UTC)
Fur Affinity
Error 503

GOOD ONE EEVEE
eevee
Oct. 18th, 2010 07:41 am (UTC)
Oh I forgot one.

An attacker can bring down the entire site by waiting long enough.


edit: Oh what it's actually down.

Edited at 2010-10-18 07:42 am (UTC)
habnabit
Oct. 18th, 2010 07:56 am (UTC)
False alarm; back up again. :(
Rebelmyster
Oct. 18th, 2010 09:33 am (UTC)
you're my hero xD
armaina
Oct. 18th, 2010 08:04 am (UTC)
It baffles me that people still whine at you 'you should have told them' when the problem is specifically related to how the site itself runs. And that factor alone has been brought up on numerous occasions. All of this would not have been a problem had they just fixed how the functions themselves work.
baphijmm
Oct. 18th, 2010 09:41 am (UTC)
It baffles me that people still whine about this when it *has* been brought up. Numerous times.
armaina
Oct. 18th, 2010 09:44 am (UTC)
I'm not sure if you're saying this to agree with me, or because I should correct my sentence structure.
baphijmm
Oct. 18th, 2010 09:48 am (UTC)
I'm saying it because I completely glossed over the second sentence for some reason. o.o
baphijmm
Oct. 18th, 2010 09:43 am (UTC)
As an inexperienced individual with some knowledge, I must say it doesn't take much effort at all for me to come up with scenarios that would lead to a few of these occurring. I'm possibly very wrong, though.
duskwuff
Oct. 18th, 2010 03:09 pm (UTC)
If you've read this entry carefully, the vector for all but the last five exploits should be pretty obvious. They're all the same vulnerability, just used different ways.

(But no, this doesn't mean they can all be fixed the same way!)

eevee
Oct. 18th, 2010 03:18 pm (UTC)
Some of them are actually vanilla CSRF plus some other oversight. There's a surprising amount of variance in what you can do and how hard it is to pull off.
baphijmm
Oct. 18th, 2010 03:25 pm (UTC)
Then I am glad to know my brain is still working. :3
duskwuff
Oct. 18th, 2010 03:08 pm (UTC)
Also I hear something about a $50 bug bounty.

furrykef
Oct. 19th, 2010 12:23 am (UTC)
That comic only applies when the people who get paid for fixing the bugs are the same people who make the bugs. Eevee isn't a coder for FA or these problems wouldn't even exist.
duskwuff
Oct. 19th, 2010 12:24 am (UTC)
Yes, but at the rate Vee is discovering bugs, he'll discover himself a new minivan pretty soon. :)

Edited at 2010-10-19 12:24 am (UTC)
sonious
Oct. 19th, 2010 06:56 am (UTC)
If it's 50 a bug, he's already at 1350, so he could get a used one.
katisconfused
Oct. 18th, 2010 05:11 pm (UTC)
An attacker can trick a user into logging out.
Yeah I know nothing about coding and shit that isn't very basic, and up until my dA sub ran out I had a menu in my journal where one of the links was "complain about Kat" that linked to da.com/users/logout *giggle*
plemming
Oct. 18th, 2010 06:59 pm (UTC)
Hmnn.
It's sad that you have to spell it out like this.

I really, really don't want to be one of those crotchety old gits that goes 'good old days blah blah blah' (at the ripe old age of 22) but seriously. At least when it was hard to make an interactive, user-driven content website, this kind of bullshit didn't last long. Sure the websites were shit and slow and insecure owing to the inexperience of all involved, but they were professionals and if you gave a professional coder a list like this about one of their products, they would superglue their testicles to their keyboard until it was all fixed.

I wonder how I manage to have pride in my work when it appears you can be successful online without giving a shit. Oh Internet, what a fun place you are.
eevee
Oct. 18th, 2010 07:04 pm (UTC)
Re: Hmnn.
Even spelling it out doesn't seem to be having a lot of impact, either. Eh.
nrr
Oct. 19th, 2010 05:11 am (UTC)
Re: Hmnn.
You're worried about being a crotchety old git while roleplaying as a Psygnosis (I guess it's Sony now!) lemming? Man...
sonious
Oct. 19th, 2010 06:49 am (UTC)
Re: Hmnn.
Web 2.0 does have its disadvantages to be sure, but I'd rather go with the understanding that one should be responsible for their own security and not trust a website to do it for them.

Which is why I don't use facebook, and don't put any real personal information on any sites.
eevee
Oct. 19th, 2010 04:02 pm (UTC)
Re: Hmnn.
Learn about SSL and beware of public wifi. That's really all the public should be obligated to do. CSRF and whatever other nonsense shouldn't have to be your concern. (NoScript is nice for defending against some more intricate attacks, though.)
eira_gynne
Oct. 18th, 2010 06:59 pm (UTC)
I love to feel vulnerable. Wait, what?
sorethumb
Oct. 18th, 2010 10:38 pm (UTC)
HOW DARE YOU PUBLICALLY POST THIS LIST?

I suggest you turn all the stars into frownie faces. That way the audience realizes that these aren't little medals. Until then, I'll continue pretending I'm offended!

sonious
Oct. 19th, 2010 06:54 am (UTC)
Banned users can hide comments they would otherwise be able to hide.
Banned users can post comments on journals.

Well, you could technically tell Allen how to do these, I'm sure they'll get fixed then. But then you'd be an ass.
eevee
Oct. 19th, 2010 03:56 pm (UTC)
T'would be a sad state indeed if it took a major catastrophe around every single exploit to get them fixed. But that's how things have gone so far.

Though I don't have a lot of faith in Allen's ability to... do anything, really.
itrasbiel
Oct. 19th, 2010 07:20 pm (UTC)
fyi, you can force a defav (using a different url in the control panel), and if you combine that with the standard fav toggle url i suspect you could force a fav.
eevee
Oct. 19th, 2010 07:23 pm (UTC)
Aha, clever. I'll drop the disclaimer about toggling, then.
chipotle
Oct. 19th, 2010 11:24 pm (UTC)
While this all vaguely disturbs me, it's mostly in that way of "these are things I am going to have to think about as I design my long-delayed furry story archive." I'm sitting here thinking, "Huh. Is my delete item action just a URL that can be hit with GET? I can't remember."

(To be fair to myself, I know that all the item management code requires you to be logged in as the user who owns the item being managed, and that at the moment the delete action doesn't actually do anything anyway. But even so.)
eevee
Oct. 19th, 2010 11:26 pm (UTC)
Dude, is anyone not designing their own art store?

Being logged in doesn't help so much; that's how I racked up 950 watchers without their involvement.
(Anonymous)
Oct. 20th, 2010 12:09 am (UTC)
Designing your own archive site is the furry version of designing your own blog software.

I'd think that you shouldn't be able to add someone to a watchlist unless you're (a) logged in (b) as the user who owns the watchlist being modified. I'm sure there are ways to subvert that, but that's a pretty basic sanity check which I'm guessing FA is (sigh) not making.

(For the record, I'm also writing in Python, although unlike the sadly defunct Ferrox, I'm using Django rather than Pylons.)
chipotle
Oct. 20th, 2010 12:11 am (UTC)
...and I really need to watch posting from the office browser to make sure I'm actually logged in, dammit.
insane_kangaroo
Oct. 24th, 2010 06:11 am (UTC)
:3 I've been using Django ever since 0.94~, the framework is fantastic.
(Anonymous)
Oct. 20th, 2010 10:28 pm (UTC)
XD I remember I once did the unwatching and watching one, it was funny but I stopped after a day on anyone who visted that journal
eagle_bird
Oct. 22nd, 2010 09:50 pm (UTC)
I love this, it's a laughing stock.
kupok
Oct. 23rd, 2010 08:31 am (UTC)
What kinds of soup can I make with Laughing Stock? Is it closer to a Beef Stock, or a Chicken Stock?
eagle_bird
Oct. 23rd, 2010 11:16 pm (UTC)
the kinds that make people giggle stupidly while shitting their pants
octan
Oct. 26th, 2010 06:45 am (UTC)
Man, I work for a professional Web design company and this is the first time I've heard of CSRF. Maybe I should just hand in my ID now....

But in seriousness, is this just because all the things on this list are either hyperlinks or forms that use GET (or use POST but rely on $_REQUEST instead of $_POST for sniffing)? If so, it sounds like a retardedly easy fix for half of them and some minor tweaking at most for the others.

Also, I noticed that deviantART has hyperlinks for most of these things too. Does that mean they're as vulnerable to these attacks as FA is? Because if it is, major lulz.
eevee
Oct. 26th, 2010 06:51 am (UTC)
POST is vulnerable to CSRF as well, though GET is certainly easier to exploit. (But actions should always be POST. That's what it's for.)

dA's links are all javascript nonsense, so all bets are off there. Might be vulnerable, might not be.
stokerbramwell
Nov. 4th, 2010 10:49 pm (UTC)
...well THIS is certainly a disturbing little eye-opener. o_o

I knew FA had problems, but geez...
chrisdragon
Jan. 12th, 2011 05:20 pm (UTC)
It would actually be NICE if someone would take the time to FIX all those holes on the site, unlike how slow shit is fixed on FA..who is more or less focused on features rather than bug fixes.. >.>

When it comes to speed on fixing things, I'd prefer you over Yak if you were still allowed on the site.