Lots of people have told me—with some disdain—that I should be reporting vulnerabilities. These people have sort of missed the point, insofar as I had one:
(a) FA does not consider security issues to be a high priority. Old, well-known exploits still exist, and are never fixed. New ones are still being created, and there's nothing in place to try to catch them. Most of the big FA crises in the past were easy to see coming.
(b) FA has a lot of security issues. And continues to expose its userbase to them. The users should probably be mad about that.
But hey, okay. Here's everything I know about, ranked by how easy it is to exploit. ☆☆☆ means it's technically possible, but scarcely worth the effort unless someone is super angry. ★★★ means I could be doing it to you as you read this paragraph. (No, I'm not.) Severity is up to you.
This information alone is not enough to inflict damage.
Let's get CSRF out of the way, because it's almost cheating. And yes, this is including the fixes from this weekend:
★★☆ An attacker can trick a user into watching any other user.
★★☆ An attacker can trick a user into unwatching any other user.
★★☆ An attacker can trick a user into faving any submission.
★★★ An attacker can trick a user into unfaving any submission.
★★☆ An attacker can trick a user into posting any submission.
★★☆ An attacker can trick a user into posting any journal.
★★★ An attacker can trick a user into creating any number of dummy submissions.
★★☆ An attacker can trick a user into replacing the content of any of that user's submissions.
★★☆ An attacker can trick a user into changing the description of any of that user's submissions.
★★☆ An attacker can trick a user into changing any of that user's journals.
★★★ An attacker can trick a user into deleting any submission the user owns.
★★★ An attacker can trick a user into deleting any journal the user owns.
★☆☆ An attacker can trick a user into deleting any combination of shouts on that user's page.
★★☆ An attacker can trick a user into making any comment on any journal or submission.
★★★ An attacker can trick a user into making a dummy comment on any journal or submission.
★★☆ An attacker can trick a user into posting any shout on any other user's userpage.
★★☆ An attacker can trick a user into hiding any comment the user is allowed to hide.
★★★ An attacker can trick a user into logging out.
★★☆ An attacker can trick a user into changing that user's profile text and metadata.
★★☆ An attacker can trick a user into changing that user's avatar.
★☆☆ An attacker can trick a user into replacing that user's existing avatars.
★☆☆ An attacker can trick an admin into exercising any administrative powers.
There's also a meta-exploit which would allow creating a socially-replicating worm, fairly untraceable, not requiring persistent hosting outside FA, and capable of doing any of the above.
Others:
☆☆☆ An attacker can steal user passwords over open wifi (such as that at furry conventions).
★★☆ An attacker can steal user sessions over open wifi (such as that at furry conventions).
★★☆ An attacker can log out every logged-in user and prevent anyone else from logging in, including administrators.
★★★ Banned users can hide comments they would otherwise be able to hide.
★★★ Banned users can post comments on journals.
★★★ Blocked users can reply to comments on the blocker's submissions and journals.
Meta: read-only and admin mode are kind of worthless. They didn't stop the escalation exploit on Friday, and they didn't stop the PHP execution vulnerability I witnessed first-hand many years ago.
There are several parts of the site I've just never used, so I don't claim that this is exhaustive. (I've never used trouble tickets, for example, and that would be a great place for an exploit; direct guaranteed audience with an admin.)
If I missed anything, please let me know. If you think any of the above make it obvious what the exploits are to someone who wouldn't already know, definitely let me know and I'll try to be more vague.
I will happily explain, to any FA admin who asks, how any of these work and how to prevent them. But it is not my responsibility to chase people down and try to make them care.
There are very many combinations of attacks that would let a single person destroy the entire site.
Also I hear something about a $50 bug bounty.
(a) FA does not consider security issues to be a high priority. Old, well-known exploits still exist, and are never fixed. New ones are still being created, and there's nothing in place to try to catch them. Most of the big FA crises in the past were easy to see coming.
(b) FA has a lot of security issues. And continues to expose its userbase to them. The users should probably be mad about that.
But hey, okay. Here's everything I know about, ranked by how easy it is to exploit. ☆☆☆ means it's technically possible, but scarcely worth the effort unless someone is super angry. ★★★ means I could be doing it to you as you read this paragraph. (No, I'm not.) Severity is up to you.
This information alone is not enough to inflict damage.
Let's get CSRF out of the way, because it's almost cheating. And yes, this is including the fixes from this weekend:
★★☆ An attacker can trick a user into watching any other user.
★★☆ An attacker can trick a user into unwatching any other user.
★★☆ An attacker can trick a user into faving any submission.
★★★ An attacker can trick a user into unfaving any submission.
★★☆ An attacker can trick a user into posting any submission.
★★☆ An attacker can trick a user into posting any journal.
★★★ An attacker can trick a user into creating any number of dummy submissions.
★★☆ An attacker can trick a user into replacing the content of any of that user's submissions.
★★☆ An attacker can trick a user into changing the description of any of that user's submissions.
★★☆ An attacker can trick a user into changing any of that user's journals.
★★★ An attacker can trick a user into deleting any submission the user owns.
★★★ An attacker can trick a user into deleting any journal the user owns.
★☆☆ An attacker can trick a user into deleting any combination of shouts on that user's page.
★★☆ An attacker can trick a user into making any comment on any journal or submission.
★★★ An attacker can trick a user into making a dummy comment on any journal or submission.
★★☆ An attacker can trick a user into posting any shout on any other user's userpage.
★★☆ An attacker can trick a user into hiding any comment the user is allowed to hide.
★★★ An attacker can trick a user into logging out.
★★☆ An attacker can trick a user into changing that user's profile text and metadata.
★★☆ An attacker can trick a user into changing that user's avatar.
★☆☆ An attacker can trick a user into replacing that user's existing avatars.
★☆☆ An attacker can trick an admin into exercising any administrative powers.
There's also a meta-exploit which would allow creating a socially-replicating worm, fairly untraceable, not requiring persistent hosting outside FA, and capable of doing any of the above.
Others:
☆☆☆ An attacker can steal user passwords over open wifi (such as that at furry conventions).
★★☆ An attacker can steal user sessions over open wifi (such as that at furry conventions).
★★☆ An attacker can log out every logged-in user and prevent anyone else from logging in, including administrators.
★★★ Banned users can hide comments they would otherwise be able to hide.
★★★ Banned users can post comments on journals.
★★★ Blocked users can reply to comments on the blocker's submissions and journals.
Meta: read-only and admin mode are kind of worthless. They didn't stop the escalation exploit on Friday, and they didn't stop the PHP execution vulnerability I witnessed first-hand many years ago.
There are several parts of the site I've just never used, so I don't claim that this is exhaustive. (I've never used trouble tickets, for example, and that would be a great place for an exploit; direct guaranteed audience with an admin.)
If I missed anything, please let me know. If you think any of the above make it obvious what the exploits are to someone who wouldn't already know, definitely let me know and I'll try to be more vague.
I will happily explain, to any FA admin who asks, how any of these work and how to prevent them. But it is not my responsibility to chase people down and try to make them care.
There are very many combinations of attacks that would let a single person destroy the entire site.
Also I hear something about a $50 bug bounty.


Comments
Error 503
GOOD ONE EEVEE
★★★ An attacker can bring down the entire site by waiting long enough.
edit: Oh what it's actually down.
Edited at 2010-10-18 07:42 am (UTC)
(But no, this doesn't mean they can all be fixed the same way!)
Edited at 2010-10-19 12:24 am (UTC)
Yeah I know nothing about coding and shit that isn't very basic, and up until my dA sub ran out I had a menu in my journal where one of the links was "complain about Kat" that linked to da.com/users/logout *giggle*
I really, really don't want to be one of those crotchety old gits that goes 'good old days blah blah blah' (at the ripe old age of 22) but seriously. At least when it was hard to make an interactive, user-driven content website, this kind of bullshit didn't last long. Sure the websites were shit and slow and insecure owing to the inexperience of all involved, but they were professionals and if you gave a professional coder a list like this about one of their products, they would superglue their testicles to their keyboard until it was all fixed.
I wonder how I manage to have pride in my work when it appears you can be successful online without giving a shit. Oh Internet, what a fun place you are.
Which is why I don't use facebook, and don't put any real personal information on any sites.
I suggest you turn all the stars into frownie faces. That way the audience realizes that these aren't little medals. Until then, I'll continue pretending I'm offended!
★★★ Banned users can post comments on journals.
Well, you could technically tell Allen how to do these, I'm sure they'll get fixed then. But then you'd be an ass.
Though I don't have a lot of faith in Allen's ability to... do anything, really.
(To be fair to myself, I know that all the item management code requires you to be logged in as the user who owns the item being managed, and that at the moment the delete action doesn't actually do anything anyway. But even so.)
Being logged in doesn't help so much; that's how I racked up 950 watchers without their involvement.
I'd think that you shouldn't be able to add someone to a watchlist unless you're (a) logged in (b) as the user who owns the watchlist being modified. I'm sure there are ways to subvert that, but that's a pretty basic sanity check which I'm guessing FA is (sigh) not making.
(For the record, I'm also writing in Python, although unlike the sadly defunct Ferrox, I'm using Django rather than Pylons.)
But in seriousness, is this just because all the things on this list are either hyperlinks or forms that use GET (or use POST but rely on $_REQUEST instead of $_POST for sniffing)? If so, it sounds like a retardedly easy fix for half of them and some minor tweaking at most for the others.
Also, I noticed that deviantART has hyperlinks for most of these things too. Does that mean they're as vulnerable to these attacks as FA is? Because if it is, major lulz.
dA's links are all javascript nonsense, so all bets are off there. Might be vulnerable, might not be.
I knew FA had problems, but geez...
When it comes to speed on fixing things, I'd prefer you over Yak if you were still allowed on the site.