You don’t need a password. Posterous fail.

160 点作者 prabodh将近 15 年前

16 条评论

jcnnghm将近 15 年前

It's possible to forge headers in certain circumstances. It's not easy. And this is the first time this has happened.It's ridiculously easy to forge email headers. Headers are manually created whenever programmatically sending email messages. That's how messages can be sent from addresses that don't exist, like devnull@example.com or noreply@yourdomain.com. They don't even send a confirmation email that you have to approve before stuff is posted?

评论 #1441992 未加载

评论 #1441991 未加载

评论 #1442372 未加载

评论 #1441993 未加载

评论 #1441988 未加载

评论 #1442930 未加载

a4agarwal将近 15 年前

Hey guys. I'm the cofounder of Posterous.Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.For the vast majority of users who use gmail, hotmail or other services, this was never an issue.Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!

评论 #1473203 未加载

robinduckett将近 15 年前

I did it. Sorry Dustin. It really was me. I changed one field in outlook.I realise Posterous requires you to "confirm" the post, I just wanted to see if you had defaulted that requirement to off.

评论 #1442717 未加载

评论 #1443042 未加载

michael_dorfman将近 15 年前

This is definitely happening in the wild, as well. A friend of mine had some spam advertising a mobile phone site posted to her Posterous, which fed into her Facebook feed, etc..

xinsight将近 15 年前

It is easy.<pre><code> $ /usr/sbin/sendmail -f dustin@dustincurtis.com dustin@posterous.com Subject: hi Spam spam spam ^D</code></pre>

评论 #1441987 未加载

评论 #1442267 未加载

评论 #1442231 未加载

评论 #1443250 未加载

josefresco将近 15 年前

Sure active users will notice spam posts but what about the long tail of customers who no longer update their Posterous blog? What happens when a 'creative' link marketer finds a way to index those sites and inject posts?

评论 #1443001 未加载

codeflo将近 15 年前

While we're talking about Posterous, does anyone know why it adds a random number to the end of article URLs, as in <a href="http://blog.dustincurtis.com/apparently-765" rel="nofollow">http://blog.dustincurtis.com/apparently-765</a> ? I know it's not a big deal, but I find that aesthetically unpleasing, as it kind of ruins an otherwise beautiful URL.

评论 #1442428 未加载

评论 #1442510 未加载

评论 #1443020 未加载

nate将近 15 年前

Why not let users use email certificates if they want? That's what I've got going on in Tgethr. Let users decide if extra trouble of setting up an email cert is worth it (it's not that bad), and now all of a sudden you have spam proof email discussion lists. We just check the message signature to make sure yep your message is signed as dustincurtis@gmail.com or whatever and we'll accept the message.

gommm将近 15 年前

What I'm surprised is why posterous doesn't do more check on all the headers sent by the email software (X-Mailer, and so on) and ask for a confirmation if those other headers are different enough from a known correct configuration...Of course someone who received an email from the blog owner could use that to fake all those headers but at least it would prevent people posting by simply guessing the email address.

评论 #1443257 未加载

DanielRibeiro将近 15 年前

Strange that none noted that identity based encryption (IBE for the acquainted ones)solves this problem quite easily (more on <a href="http://www.voltage.com/technology/ibe.htm" rel="nofollow">http://www.voltage.com/technology/ibe.htm</a>). Boneh and Franklin scheme was the first proposed one, but nowadays this is not only on crypto papers, but they are even RFCS for such schemes: <a href="http://www.rfc-editor.org/rfc/rfc5409.txt" rel="nofollow">http://www.rfc-editor.org/rfc/rfc5409.txt</a>. There are even some non-commercial implementations around: <a href="http://crypto.stanford.edu/ibe/" rel="nofollow">http://crypto.stanford.edu/ibe/</a>.Of course, not using such full blown solutions will mean that posterous' heuristics techniques will be susceptible to all sorts of attacks, such as man-in-the-middle, relay attacks and so forth.On the other hand, looking for solutions that are resilient to more sophisticated attacks, mostly considering IBE schemes, is quite convoluted (it involves provable security models, such as <a href="http://www.google.com/#hl=en&q=provable+security+signature&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=64f719c8669fe4b7" rel="nofollow">http://www.google.com/#hl=en&q=provable+security+signatu...</a> ). There are even variations on IBE, such as certificateless, which require you to trust even less people.This is of course, assuming you are not willing to inconvenience users by making them reply a email you send them after they tried to poste. Such email would contain a custom made url (the secret) that would enable the post to actually be posted. On the other hand, this solution feels more inconvenient than using OAuth methods.Nonetheless, not all users care about security/privacy (those that do, will always have the usual login scheme). If you chose to go other way, good luck to you. After all, people still use MD5 for security applications nowadays.

Terretta将近 15 年前

Two solutions:1. Change from "Contributors can post" to "Anyone can post". Counterintuitive, but the first is based on email FROM, the second is moderated.2. Make a hash as your FROM address. Add it as an alias to send from in Gmail (or whatever you use). Send to posterous from the hash address. Your email address becomes your password.

评论 #1442659 未加载

评论 #1442285 未加载

mike-cardwell将近 15 年前

You should be able to PGP sign your emails to confirm that they're good. If an unsigned email suddenly appears, a confirmation email should be sent back to the sender address before it is posted.

ashishbharthi将近 15 年前

Twitter had similar issue in their Text -> Tweet system. People were using softwares to send Text messages and using anybody's phone number as they want. They fixed it by using 4 digit pin and I think Posterous should do the same.

borisk将近 15 年前

Not so big a deal IMHO. You can always set a pass if spammers start targeting your blog.

评论 #1442111 未加载

d0m将近 15 年前

Oh my I feel bad, I started this in the other post' comments.

tman将近 15 年前

Posterous really does fail here. I can see why they would want to tolerate a little of this to preserve ease of use for their users (just like Amazon with their Kindle email address). However, there are a number of steps that Posterous can take to combat forged headers in ways that should not impact users at all. Enabling SPF, for example, would be a good start.Technically, it's the same problem as email spam, and most of the same tools can be used to combat it. Posterous should flag posts that they aren't sure of and make users confirm them before putting them up, etc.EDIT:The other fix would be to use an email address that can't be guessed from the blog address. In other words, the email address is the password.

评论 #1443053 未加载

评论 #1442357 未加载