Security flaw with login corrected
One of our members informed us a couple of days ago that due to a strange combination of actions and circumstances, he hit a flaw in our login system that enabled him to access the membership of another member with a similar name.
Of course we promptly investigated; the problem has been permanently fixed.
After that, we turned our attention to finding out if that particular flaw had been exploited in any other cases. It does have a very distinctive pattern, part of which is failing to log in as the first person, successfully logging in as the second person, and then “reappearing” as the first person. (That’s sufficient “signature” to detect it in our records, but there’s actually more internally required for it to happen — related to cookies and PHP session handling.) We’ve been over the logs back to the point where the problem was introduced and we’re happy to report that we were not able to find any previous similar incidents. So, if you needed any reassurance that most people are basically good, the first person to find this problem reported it to us within minutes.
Obviously the person who did this is aware of it, and we have already notified the person affected. So if you haven’t already heard from us about this, it doesn’t affect you and you don’t need to take any steps. We are posting this anyway simply because it’s security related. Security is our top priority; it’s the foundation upon which the rest of our service has to be built. So, as transparent and forthright as we try to be when we have service problems and downtime, I feel we need to be twice as forthcoming when we have problems like these, however small.
I also feel it’s appropriate to personally apologize to all of our members because this was a security problem and it was caused by a coding error introduced by me. This is an area where only perfection is acceptable; falling short even a little bit is not. I’m sorry, and I will work hard to keep it from happening again.
(Ironically, we are already developing a new certificate-based backend that is so secure, the goal is to open-source our entire UI when it is complete.)
10 Comments
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
Categories:
- Beta
(9)
- Humor (3)
- Miscellaneous (3)
- Network Status (23)
- News & Announcements (73)
- Policy Changes (11)
- Politics & Legal (8)
- Tips & Tricks (6)
- Updates & Upgrades (59)
Archives:
- December 2023 (1)
- August 2023 (1)
- July 2023 (1)
- January 2022 (1)
- January 2021 (1)
- December 2019 (1)
- February 2018 (1)
- September 2017 (1)
- February 2016 (1)
- June 2015 (1)
- May 2015 (1)
- March 2015 (1)
- December 2014 (1)
- November 2014 (1)
- September 2014 (1)
- August 2014 (2)
- July 2014 (1)
- April 2014 (1)
- February 2014 (1)
- December 2013 (1)
- September 2013 (2)
- December 2012 (1)
- October 2012 (1)
- July 2012 (1)
- January 2012 (2)
- December 2011 (1)
- November 2011 (1)
- August 2011 (1)
- April 2011 (1)
- March 2011 (1)
- February 2011 (1)
- November 2010 (2)
- July 2010 (1)
- June 2010 (1)
- April 2010 (1)
- March 2010 (2)
- November 2009 (2)
- August 2009 (1)
- July 2009 (1)
- June 2009 (3)
- March 2009 (1)
- February 2009 (1)
- November 2008 (2)
- October 2008 (1)
- September 2008 (3)
- May 2008 (3)
- April 2008 (5)
- February 2008 (2)
- December 2007 (1)
- September 2007 (4)
- July 2007 (1)
- June 2007 (2)
- April 2007 (2)
- March 2007 (2)
- February 2007 (2)
- January 2007 (4)
- December 2006 (1)
- November 2006 (7)
Entries and comments feeds.
Valid XHTML and CSS.
Powered by WordPress. Hosted by NearlyFreeSpeech.NET.
Owning up to, detailing, and apologising for occasional security flaws is a Good Thing, and one of the reasons I trust this site. Good work.
Also, bonus points for open sourcing.
Comment by Sam — August 2, 2011 #
Thank you for being open about the fact the issue existed, and of course fixing the problem before it could be exploited!
Many thanks also to the person who reported the problem when they stumbled upon it!
Comment by C R — August 3, 2011 #
Could you give details about the bug?
Most of the details are above. The internal bits would require a large amount bit of background information about our forms and session handling that would be of very limited interest in the absence of the actual code; there’s not a straightforward, concise issue we could turn into a good “Here’s what not to do article.”-jdw
Comment by Adrian — August 3, 2011 #
Many Thanks. You guys are super. And many thanks again to the reporter, too.
Comment by Jason — August 3, 2011 #
I am not at ‘geek status’ as most here are – I’m simply a newby learning about websites. I’ve been with two other hosts before and did not have the confidence I have with the technically supportive and open communicating hosts I find here at NFS.net. This openness, not seen elsewhere, is massively refreshing. Combined with the supportive community of users makes me happy to be an NFS.net member. You post your issues on open forum with explanation – great attitude NFS, keep it up.
Comment by Stan — August 6, 2011 #
You guys are great!
I am not that techy either but have figured out how to set up about half a dozen sites here.
Thanks to to way you do business I have been able to slowly increase my knowledge and experience with many of the nuts and bolts. You have made it possible for me to learn as I go.
I really appreciate your business model and your ethics!!
Thank you for both and more.
Steve
Comment by Steve — August 8, 2011 #
Once again, something to make me proud to be a member of the NFS community – knowing that the community is headed by honest, down-to-earth people who would sooner tell you when things go wrong than try to hide it and pretend it never happened.
Comment by thirdwheel — August 10, 2011 #
Addendum: it is also a mark of the community’s members that an issue like this was discovered but the discoverer reported it to the relevant people who had the power to solve the problem, rather than to people with the power to make it a bigger problem.
Comment by thirdwheel — August 10, 2011 #
If only all tech companies behaved like this! Another great win for responsible disclosure. You lead the industry by example.
Comment by Toby Pinder — August 13, 2011 #
In case a black hat comes along and wonders, “how could I exploit this if I found the exploit?” Here is a little more info about NFS.N’s security. (And I’m just a satisfied user.)
Every login attempt is logged, and failed attempts send an email alert to the user. So I assume a few failed logins will alert the staff as well. Although I’ve never tried it, hammering away at the login page is sure to be a fruitless exercise.
Login attempts are also kept on record forever (as far as I can tell). Notice that the staff could determine nobody else even tried this hole, ever since it was introduced.
It’s a level of security I wish our government would copy!
Comment by dch24 — August 31, 2011 #