Thoughts on the Posterous hack

Hey guys. I'm the cofounder of Posterous.<p>Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.<p>We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.<p>For the vast majority of users who use gmail, hotmail or other services, this was never an issue.<p>Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.<p>Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.<p>Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!

Posterous actually has a nasty security hole which allows you to get the email address for any posterous which the user has not claimed.<p>Here's a posterous I just created: <a href="http://john-tfk88.posterous.com/" rel="nofollow">http://john-tfk88.posterous.com/</a> that I have not claimed.<p>The 'Claim this site' link goes to <a href="http://posterous.com/main/register?hash=Bu5fX3lRT2rYPURl7axZ1Y3SpHNnCWxOt4p8Kewa8zWUiiTwkV8S2YEHwTL6" rel="nofollow">http://posterous.com/main/register?hash=Bu5fX3lRT2rYPURl7axZ...</a><p>If you view source that you'll find that my email address is 'hidden' in the page:<p><pre><code> &#60;input id="user_mail" name="user[mail]" type="hidden" value="jgc@jgc.org" /&#62; </code></pre> So, for any unclaimed posterous you can programmatically go to the owner's email address. A nice hack would be to grab the email address of newly created posterous accounts, wait for them to be claimed (or not) and then started spamming them. Yay!<p>Oh look: <a href="http://www.google.co.uk/search?hl=en&#38;q=%22claim+this+site%22+site:posterous.com&#38;aq=f&#38;aqi=&#38;aql=&#38;oq=&#38;gs_rfai=" rel="nofollow">http://www.google.co.uk/search?hl=en&#38;q=%22claim+this+sit...</a>

"As a user, I fully accept it. <a href="http://blog.dustincurtis.com" rel="nofollow">http://blog.dustincurtis.com</a> has received almost a million pageviews in the past year, and this is the first time this has ever happened. And It happened because I provoked it in an extremely popular article was posted to a community of hackers. To be honest, I expected someone to try this."<p>as an EDUCATED user YOU accept it, i'm not sure most of the posterous users understand and would make the same decision to user posterous if they did.<p>this is like saying car companies could sell shitty locks on their cars because they mostly wont be tested anyway, and the driver will have an easier time getting into the car. it's VERY unlikely my mothers car will be broken into just statistically speaking, but hey even if it happens its just one person. not a big deal.<p>im pretty sure if posterous made it clear how easy this is many users would stay away, just like many people would not buy toyotas if they came with shitty locks, no matter how little they expected to be broken into.

Of course somebody is interested in spamming his mother's blog. A script doesn't care whose blog it spams. Now that the word is out, I expect it will only be a matter of time until such scripts emerge.<p>It's the typical false assumption non-technical users have about security: who would be interested in hacking me anyway? Automated scripts, that is who.<p>Also, how are the email posts interpreted by posterous - is it possible to post custom html snippets and javascripts via email? This would be scammer's heaven, as they could probably even hide that a blog has been spammed.

He says there is no interest to post to his moms posterous, but is that really true?<p>I can imagine quite a lot of spammers who would love to have a blog-post on an otherwise reputable blog. If spammers manage to abuse this system they could get their blogposts, filled with links and instructions to buy medication, all over all posterous blogs.

Simple. Create an email alias (spacemuffinftw) just for Posterous and post with that, making it your password in a way.<p><i>Edit</i>: Seen in other comments -- cool thing would be for Posterous to support <i>SPF</i>. Definitely techie oriented and not for general folks, but in a system like Posterous, it should be baked in from day one. It would protect quite a bit of folks while majority of them not even realizing or even knowing what SPF is.

Here's the deal - as soon as your blog reaches any level of popularity, people are going to want to deface it / hack it any way they can just because it's that much bigger of a prize. If Posterous is this easy to hack, once you have a decent sized blog you're going to have a constant field day until they implement something better.<p>If you want to keep security simple enough that it doesn't strangle the service then hand out a unique email like post-45h231sxax23s1@posterous.com and have the user add that to their address book - viola, you've managed to add a layer of obscurity to posterous' posting mechanism at least, even though it's still not really a strong one.

1) Why can I not comment on the actual post? That's a little disconcerting.<p>2) I don't understand the need to post by e-mail. What does that gain me? Is there any use in that other than gimmick? Wouldn't a nice site offer me more chances for formatting, etc? What is the difference between typing info into a site and into an e-mail? What is the benefit? Can't a site be easier to use than e-mail?<p>3) Security is not a concern? I hope you are happy with the size of your company since it can not grow, because once you become any kind of force in the market, you will have to deal with things that you may not have to deal with now.<p>If you can't think of any scenarios in which this is a problem, let me enlighten you: - Lawsuits because an angry ex/employee/anyone posts items on a blog. (Yes, this can happen with other systems, but a lack of security is different from being hacked/people stealing passwords, etc). - Competitors who want to cause you problems. - Unhappy customers who find their site "hacked" including support time and money. Now that the "hack" is discovered, expect more. Security through ignorance is gone once the ignorance is gone.<p>When you ignore warning signs because nothing bad has happened YET, get ready. Look at BP. Over 700 violations they shrugged off because it didn't affect them. Now it does and their stock, company name, and the well-being of many they affected is in the toilet.<p>This is your wake up call. Listen to it: don't ignore it. Security matters.

Posterous could offer a really simple, and optional, security option by disabling auto-posting unless your email includes a secret key. E.g. you would have to write 'passkey=tomato' somewhere in your email.<p>If the email doesn't include the passkey, the user would receive a "click link to publish" email.<p>Simple.

I think his argument comes off as too utopian for me to accept. Like everyone else has said, of course people will want to exploit an easy loophole on someone who has a bit of exposure.<p>I think Posterous hasn't grown to a point where they have to worry about it yet, but look at the exploits on Wordpress. They're much more advanced and hackers continually attempt to break in for fun or for abusive reasons. It's naive to assume that you can simply keep this convenience as a security trade off as the product gains the attention of the world.

The real danger here isn't spam, it's false flag attacks.<p>If something offensive appears on your posterous under your name, will anyone believe you when you claim it's a hack?<p>On the other hand, maybe it provides a convenient excuse if you post something dumb and want to disown it . . .

<a href="http://news.ycombinator.com/item?id=1442163" rel="nofollow">http://news.ycombinator.com/item?id=1442163</a><p>The compromise I suggested here addresses both concerns (ease of use and security)

My email address is of the form firstname@lastname.com, and I got around this issue by creating an alias for sending in Gmail that's firstname+randomstring@lastname.com. As a security measure it's not perfect, but it's not something someone's just going to be able to guess.<p>That solves the issue for me, but not for most (less tech-savvy) people. I think what Posterous needs is the ability to require confirmation by email when a post is made by email. I get that you can do this by setting your blog to 'anyone can post', but that seems counterintuitive, and most people don't understand how easy it is to spoof emails. As long as the confirmation can be done by email, I don't think it'd be much of an inconvenience.

I care about my reputation, therefore I would not use Posterous.<p>There's nothing stopping Posterous keeping it working exactly the same way, but providing an additional layer of protection for users who want to lock down their blog.<p>1.) Don't publish emails unless they passed DKIM<p>2.) Don't publish emails unless they passed SPF<p>3.) Don't publish emails unless they contain a secret password<p>4.) Don't publish emails unless they're signed with my PGP key.<p>Any of the above would be enough. It's all about choice.

An interesting thing posterous could to is send the user a (daily? weekly?) email "reminding" him of the blog, and making it so that just replies to that email count as posts. This lets them even change the GUID for each user if they think it has been compromised.

Sounds like a security issue to me.

couldn't they do something like the email address is yourusernameatyourdomain.comandanextrabityoutset@posterous.com which would be an id you could remember?

Uhm you don't have to have an epic GUID e-mail address. Just pair it with your e-mail. So let the user set it to whatever they can remember (their name backwards and ROT13'd, whatever, so long as it's unique) and only accept posts to that address from their verified e-mail. That would at least curb some of the danger of this setup.

Or you could make high-security posting optional, for users who get a lot of traffic; much like how E-trade will give you a two-factor authentication fob if you've got enough money invested with them.

they could allow for configurable security, like allowing users to specify a gpg public key. Doesn't have to be the default.

There's an even easier solution... require confirmation via email. You send the post as an email, you get an email back immediately asking for post confirmation.<p>edit:<p>It looks like this is already standard functionality (if turned on, and even if not there is still an email sent with a delete link).<p>I don't think dustin does a good job explaining why "It is OK" in this blog post, but I think I agree with his conclusion, this doesn't seem like a big deal if a user has opted for the more optimistic workflow rather than the more precautionary one.

I see this argument all the time. "Oh, Joe Schmo won't know how to do this! It'll frighten them!".<p>And this happens absolutely everywhere. And it's true. But this problem won't go away until we start FORCING people to adapt, by adopting stricter measures everywhere.