Opened 7 years ago

Closed 7 years ago

#4522 closed defect (fixed)

Harry's minor friend making vulnerability

Reported by: Harry Wood Owned by: rails-dev@…
Priority: major Milestone:
Component: website Version:
Keywords: Cc:

Description

We have a GET url for adding a friend without further prompts. E.g. click here to be my friend: http://www.openstreetmap.org/user/Harry%20Wood/make_friend

Obviously if I can trick anyone into following that link then I get to be their friend, which can be done in sneaky ways for example:

http://harrywood.dev.openstreetmap.org/amazing.html

Guess the fix would be to make it show a Yes/No? confirmation at this URL.

Change History (6)

comment:1 Changed 7 years ago by Harry Wood

Priority: minormajor

I should add that I've just posted this trick in IRC, and made 12 new friends as a result. So the information is out there, which maybe makes this more urgent. ...although obviously accidental friending is quite low impact.

comment:2 Changed 7 years ago by Tom Hughes

Well it's out there now pillock! Thanks for turning a minor issue into a major emergency!

comment:3 Changed 7 years ago by Tom Hughes

I've pushed a change to make this use POST as an emergency fix. It breaks the links in the friend notification emails, but I will fix that tomorrow.

comment:4 Changed 7 years ago by Harry Wood

Yeah sorry I didn't really consider this to be a big deal and I wanted to prove (mainly to myself) that it would work, so needed to fish for some clicks on IRC, all of which I did before even raising the trac ticket in the first place. Only afterwards I realised I might've created a problem by telling a few people about it. Sorry about that. It was only a few people though

Not wanting to wind you up more Tom, but you do know your fix is not working? friending/unfriending functionality is currently broken? (Links on the site currently take you to 'not found' URLs)

comment:5 Changed 7 years ago by Tom Hughes

As I said:

"It breaks the links in the friend notification emails, but I will fix that tomorrow."

So links on the site should work (because rails will generate JS that does a POST when you click) but random links elsewhere like in the email will not work yet.

comment:6 Changed 7 years ago by Harry Wood

Resolution: fixed
Status: newclosed

OK I see it's all fixed now ....after a brief re-opening of the vulnerability for a little while this evening if I'm not mistaken :-)

Note: See TracTickets for help on using tickets.