Comments on: Security flaw with login corrected

By: dch24

dch24 — Wed, 31 Aug 2011 01:57:49 +0000

In case a black hat comes along and wonders, “how could I exploit this if I found the exploit?” Here is a little more info about NFS.N’s security. (And I’m just a satisfied user.)

Every login attempt is logged, and failed attempts send an email alert to the user. So I assume a few failed logins will alert the staff as well. Although I’ve never tried it, hammering away at the login page is sure to be a fruitless exercise.

Login attempts are also kept on record forever (as far as I can tell). Notice that the staff could determine nobody else even tried this hole, ever since it was introduced.

It’s a level of security I wish our government would copy!

By: Toby Pinder

Toby Pinder — Sat, 13 Aug 2011 10:45:16 +0000

If only all tech companies behaved like this! Another great win for responsible disclosure. You lead the industry by example.

By: thirdwheel

thirdwheel — Wed, 10 Aug 2011 00:46:11 +0000

Addendum: it is also a mark of the community’s members that an issue like this was discovered but the discoverer reported it to the relevant people who had the power to solve the problem, rather than to people with the power to make it a bigger problem.

By: thirdwheel

thirdwheel — Wed, 10 Aug 2011 00:44:52 +0000

Once again, something to make me proud to be a member of the NFS community – knowing that the community is headed by honest, down-to-earth people who would sooner tell you when things go wrong than try to hide it and pretend it never happened.

By: Steve

Steve — Mon, 08 Aug 2011 18:54:46 +0000

You guys are great!

I am not that techy either but have figured out how to set up about half a dozen sites here.

Thanks to to way you do business I have been able to slowly increase my knowledge and experience with many of the nuts and bolts. You have made it possible for me to learn as I go.

I really appreciate your business model and your ethics!!

Thank you for both and more.

Steve

By: Stan

Stan — Sat, 06 Aug 2011 11:56:25 +0000

I am not at â€˜geek statusâ€ as most here are â€“ Iâ€m simply a newby learning about websites. Iâ€ve been with two other hosts before and did not have the confidence I have with the technically supportive and open communicating hosts I find here at NFS.net. This openness, not seen elsewhere, is massively refreshing. Combined with the supportive community of users makes me happy to be an NFS.net member. You post your issues on open forum with explanation - great attitude NFS, keep it up.

By: Jason

Jason — Wed, 03 Aug 2011 20:26:17 +0000

Many Thanks. You guys are super. And many thanks again to the reporter, too.

By: Adrian

Adrian — Wed, 03 Aug 2011 08:56:27 +0000

Could you give details about the bug?

Most of the details are above. The internal bits would require a large amount bit of background information about our forms and session handling that would be of very limited interest in the absence of the actual code; there’s not a straightforward, concise issue we could turn into a good “Here’s what not to do article.”-jdw

By: C R

C R — Wed, 03 Aug 2011 08:29:16 +0000

Thank you for being open about the fact the issue existed, and of course fixing the problem before it could be exploited!

Many thanks also to the person who reported the problem when they stumbled upon it!

By: Sam

Sam — Tue, 02 Aug 2011 21:52:36 +0000

Owning up to, detailing, and apologising for occasional security flaws is a Good Thing, and one of the reasons I trust this site. Good work.

Also, bonus points for open sourcing.