Security flaw with login corrected

One of our members informed us a couple of days ago that due to a strange combination of actions and circumstances, he hit a flaw in our login system that enabled him to access the membership of another member with a similar name.

Of course we promptly investigated; the problem has been permanently fixed.

After that, we turned our attention to finding out if that particular flaw had been exploited in any other cases. It does have a very distinctive pattern, part of which is failing to log in as the first person, successfully logging in as the second person, and then “reappearing” as the first person. (That’s sufficient “signature” to detect it in our records, but there’s actually more internally required for it to happen — related to cookies and PHP session handling.) We’ve been over the logs back to the point where the problem was introduced and we’re happy to report that we were not able to find any previous similar incidents. So, if you needed any reassurance that most people are basically good, the first person to find this problem reported it to us within minutes.

Obviously the person who did this is aware of it, and we have already notified the person affected. So if you haven’t already heard from us about this, it doesn’t affect you and you don’t need to take any steps. We are posting this anyway simply because it’s security related. Security is our top priority; it’s the foundation upon which the rest of our service has to be built. So, as transparent and forthright as we try to be when we have service problems and downtime, I feel we need to be twice as forthcoming when we have problems like these, however small.

I also feel it’s appropriate to personally apologize to all of our members because this was a security problem and it was caused by a coding error introduced by me. This is an area where only perfection is acceptable; falling short even a little bit is not. I’m sorry, and I will work hard to keep it from happening again.

(Ironically, we are already developing a new certificate-based backend that is so secure, the goal is to open-source our entire UI when it is complete.)

10 Comments

RSS feed for comments on this post.

  1. Owning up to, detailing, and apologising for occasional security flaws is a Good Thing, and one of the reasons I trust this site. Good work.

    Also, bonus points for open sourcing.

    Comment by Sam — August 2, 2011 #

  2. Thank you for being open about the fact the issue existed, and of course fixing the problem before it could be exploited!

    Many thanks also to the person who reported the problem when they stumbled upon it!

    Comment by C R — August 3, 2011 #

  3. Could you give details about the bug?

    Most of the details are above. The internal bits would require a large amount bit of background information about our forms and session handling that would be of very limited interest in the absence of the actual code; there’s not a straightforward, concise issue we could turn into a good “Here’s what not to do article.”-jdw

    Comment by Adrian — August 3, 2011 #

  4. Many Thanks. You guys are super. And many thanks again to the reporter, too.

    Comment by Jason — August 3, 2011 #

  5. I am not at ‘geek status’ as most here are – I’m simply a newby learning about websites. I’ve been with two other hosts before and did not have the confidence I have with the technically supportive and open communicating hosts I find here at NFS.net. This openness, not seen elsewhere, is massively refreshing. Combined with the supportive community of users makes me happy to be an NFS.net member. You post your issues on open forum with explanation – great attitude NFS, keep it up.

    Comment by Stan — August 6, 2011 #

  6. You guys are great!

    I am not that techy either but have figured out how to set up about half a dozen sites here.

    Thanks to to way you do business I have been able to slowly increase my knowledge and experience with many of the nuts and bolts. You have made it possible for me to learn as I go.

    I really appreciate your business model and your ethics!!

    Thank you for both and more.

    Steve

    Comment by Steve — August 8, 2011 #

  7. Once again, something to make me proud to be a member of the NFS community – knowing that the community is headed by honest, down-to-earth people who would sooner tell you when things go wrong than try to hide it and pretend it never happened.

    Comment by thirdwheel — August 10, 2011 #

  8. Addendum: it is also a mark of the community’s members that an issue like this was discovered but the discoverer reported it to the relevant people who had the power to solve the problem, rather than to people with the power to make it a bigger problem.

    Comment by thirdwheel — August 10, 2011 #

  9. If only all tech companies behaved like this! Another great win for responsible disclosure. You lead the industry by example.

    Comment by Toby Pinder — August 13, 2011 #

  10. In case a black hat comes along and wonders, “how could I exploit this if I found the exploit?” Here is a little more info about NFS.N’s security. (And I’m just a satisfied user.)

    Every login attempt is logged, and failed attempts send an email alert to the user. So I assume a few failed logins will alert the staff as well. Although I’ve never tried it, hammering away at the login page is sure to be a fruitless exercise.

    Login attempts are also kept on record forever (as far as I can tell). Notice that the staff could determine nobody else even tried this hole, ever since it was introduced.

    It’s a level of security I wish our government would copy!

    Comment by dch24 — August 31, 2011 #

Sorry, the comment form is closed at this time.

Entries Feed and comments Feed feeds. Valid XHTML and CSS.
Powered by WordPress. Hosted by NearlyFreeSpeech.NET.

NFSN