Harry's minor friend making vulnerability #4522
Comments
Author: Harry Wood I should add that I've just posted this trick in IRC, and made 12 new friends as a result. So the information is out there, which maybe makes this more urgent. ...although obviously accidental friending is quite low impact. |
Author: TomH Well it's out there now pillock! Thanks for turning a minor issue into a major emergency! |
Author: TomH I've pushed a change to make this use POST as an emergency fix. It breaks the links in the friend notification emails, but I will fix that tomorrow. |
Author: Harry Wood Yeah sorry I didn't really consider this to be a big deal and I wanted to prove (mainly to myself) that it would work, so needed to fish for some clicks on IRC, all of which I did before even raising the trac ticket in the first place. Only afterwards I realised I might've created a problem by telling a few people about it. Sorry about that. It was only a few people though Not wanting to wind you up more Tom, but you do know your fix is not working? friending/unfriending functionality is currently broken? (Links on the site currently take you to 'not found' URLs) |
Author: TomH As I said: "It breaks the links in the friend notification emails, but I will fix that tomorrow." So links on the site should work (because rails will generate JS that does a POST when you click) but random links elsewhere like in the email will not work yet. |
Author: Harry Wood OK I see it's all fixed now ....after a brief re-opening of the vulnerability for a little while this evening if I'm not mistaken :-) |
Reporter: Harry Wood
[Submitted to the original trac issue database at 6.07pm, Tuesday, 14th August 2012]
We have a GET url for adding a friend without further prompts. E.g. click here to be my friend: [http://www.openstreetmap.org/user/Harry%20Wood/make_friend http://www.openstreetmap.org/user/Harry%20Wood/make_friend]
Obviously if I can trick anyone into following that link then I get to be their friend, which can be done in sneaky ways for example:
http://harrywood.dev.openstreetmap.org/amazing.html
Guess the fix would be to make it show a Yes/No confirmation at this URL.
The text was updated successfully, but these errors were encountered: