|
|
|
|
|
|
by jgrahamc
5844 days ago
|
|
|
Posterous actually has a nasty security hole which allows you to get the email address for any posterous which the user has not claimed. Here's a posterous I just created: http://john-tfk88.posterous.com/ that I have not claimed. The 'Claim this site' link goes to http://posterous.com/main/register?hash=Bu5fX3lRT2rYPURl7axZ... If you view source that you'll find that my email address is 'hidden' in the page: <input id="user_mail" name="user[mail]" type="hidden" value="jgc@jgc.org" />
So, for any unclaimed posterous you can programmatically go to the owner's email address. A nice hack would be to grab the email address of newly created posterous accounts, wait for them to be claimed (or not) and then started spamming them. Yay!Oh look: http://www.google.co.uk/search?hl=en&q=%22claim+this+sit... |
|
|
We have looked into this issue and have confirmed this is not a security hole. No personal information is revealed to users other than through obscure links that are only available to the true site owner.
This url is only available:
1. In the emails we send to users to claim their site. So only the true owner receives these 2. On the Posterous site itself but only when we know it's the site owner (based on cookies and other tests)
That Google search does include a bunch of unclaimed sites. However, none of those sites will include the secret hash, and therefore none will expose the email address.
The fact that we include the email address in the form is definitely odd, and we're removing that now. But nonetheless, it's only visible to the person who created that site, behind obscure URLs.
We're very confident in the system we have built. While making things super simple for the common user, we never forget that our users care a lot about keeping their information secure.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!