How I "hacked" Dustin Curtis's Posterous.
Dustin mentioned in his article that he didn't require a password, and I wanted to see if he had used the confirmation skip.
Just wanted to apologise to Dustin about any inconvenience, but I do hope I opened his eyes to security a little!
EDIT: A little bit of backstory.
Dustin seems to think, that I did this because of a comment he made, on how the headers could be forged. I had not read this comment. Infact, I read his article, and using the knowledge that I picked up years ago, that you could change the outgoing email address in Outlook (Although, it was Outlook Express in them days) I changed my email to his email.
I saw his email on his website (hi@dustincurtis.com) and thought, "No, he wouldn't be sending his personal emails from that address, that's silly."
I checked the WHOIS on his domain, and saw another email address there. I changed my email, sent a quick "Apparently..." message, and then changed it back to my original email address. I checked his blog, and it didn't seem to work.
I then went to sign up for my own posterous, to play a bit more, and I saw that you had to authorise your posts. Then I saw how this could be disabled for convenience. A few minutes later and the post showed up.
I am a Web Developer, I have experience with bash scripting, curl, sendmail and everything else you would need to fake headers.
I did not fake headers, I changed one field in Outlook. I didn't do this maliciously, and I just did it to prove a point.
Posterous should not be using email alone to authorise posts, and they should not let you disable submission checking.
122 comments
[ 4.8 ms ] story [ 225 ms ] threadI really hope they don't complicate an otherwise zen-like experience.
And this wouldn't fix the issue at all... I bet that 80%+ of users would leave the default post@ submission address.
That seems like a very dogmatic attitude. Security almost always comes at some cost (e.g., inconvenience), and sometimes that cost is not worth the benefit.
And I stand by what I wrote earlier, if you want to add some security options then they should be enabled by default. Having even the best security system in-place is useless when it's disabled. Isn't it?
I use a service called Postful to send snail mail via email, that has security along these lines -- I email them a PDF with a mailing address in the subject line, and they post a letter and charge me a buck. They give security options (in my case, I include a "secret" word in the subject line, and there's a confirmation link that's emailed to me), but if I wanted, I could even let anyway send email to a given postful.com address, and it would mail a letter on my dime with no confirmation.
I haven't heard about any abuses.
This isn't UUCP, the message will go from A to B across the internet backbone. There will only be SMTP relays along the way if either your email host or the receiver's email host has chosen to set things up that way. We'd have a much bigger problem with internet security if everyone's email was relayed through questionable servers as a matter of course.
More secure than no password, but not secure.
More to the point, what you are saying is that your ISP can read your unencrypted internet traffic. This is not news.
This way, grandpa talking about his dog doesn't need to bother learning about security he doesn't really care about and the power user can post securely if it so happens that someone decides to spam his blog
If your address is gmail and my address is gmail, our mx domain has the same spf record and same IPs. Sure, some mail servers will prevent you from authenticating with one ID and sending as another, but many others will let that slide.
Gmail won't. Hotmail won't. Yahoo won't. In fact I can't think of a single authenticating mail service that doesn't also validate authorization (e.g. you can only send as you).
Now maybe you're going to point out micro-mail servers, but that's kind of beside the point because very few other people share it with you. e.g. you used gmail as your example, but services like gmail aren't vulnerable to that.
Certainly not ideal. Typos would confuse matters and the idea of secret word authentication is not exactly common/obvious for the masses.
Nice hack, BTW.
Our goal is to eat, without paying, at the local restaurant. And we've got a lot of options. We can eat and run. We can pay with a fake credit card, a fake check, or counterfiet cash. We can persuade another patron to leave the restraunt without eating and eat his food. We can impersonate (or actually become) a cook, a waiter, a manage, or the restraunt owner (who might actually be someone that few workers have ever met). We could snatch a plate off someone's table before he eats it, or from under the heat lamps before the waiter could get to it. We can wait at the dumpster for the busboy to throw away the leftovers. We can pull the fire alarm and sneak in after everyone evacuates. We can even try to persuade the manager that we're some kind of celebrity who deserves a free breakfast, or maybe we can find a gullible patron and tal her into paying for our food. We could mug someone, nowhere near the restraunt, and buy the pancakes. We could forge a coupon for free pancakes. And there's always the time-honored tradition of pulling a gun and shouting, "Give me all your pancakes".
IANAL, and it's not exactly the same circumstances, but when Sarah Palin's e-mail was hacked during the 2008 U.S. presidential campaign, the FBI and Secret Service both "got involved". According to Wikipedia the hacker in question was eventually found guilty of (1) felony obstruction of justice by destruction of records and (2) misdemeanor unauthorized access to a computer.
http://en.wikipedia.org/wiki/Sarah_Palin_email_hack
The parent has a lot of upvotes, so I really want to know why they agree he committed a crime, rather than found a bug.
Fraud, maybe, but only at a long stretch.
It certainly would never reach prosecution.
Would half fix this problem.
Same with privacy, see Facebook.
Note: Creating a "private" email address is beyond the capabilities of 75% of the people I know, who believe that email addresses are exclusively created and assigned by ISPs or employers. I doubt that Posterous will do anything to alienate this group, who appear to be an important target audience.
SPF tells you that the email really came from my server. That the email really came from my server tells you that it's really me, as sending through my server requires a password.
Sadly SPF is grossly underused.
B566EA61026F474BA8ADB877FF765087@postereous.com
If you're on another device just email whoami@postereous.com and it responds with with your GUID post address. Of course email is hardly confidential, and it would be sent in the clear, but it's a heck of a lot more powerful than simply looking at a from address.
I was mistaken. You're right, I haven't had my coffee yet.
Seems simple:
If your mail/DNS is setup to support either of these, then cool you don't need to confirm.
Else, you must "ok" each post.
DONE
Very few mail servers allow you to that. Once you add sender authentication, it generally comes with sender authorization.
>Besides, the fact that your domain requires a password is only meaningful to you
Almost all SMTP servers are locked down now, most requiring authentication. Those that aren't get blacklisted pretty quickly.
SPF tells you that the sender is authorized to send on behalf of that person.
It solves 99.9% of the issue.
I assumed that Posterous did something clever using the IP address of the SMTP peer or the headers in the message. Does Posterous fallback to just checking the sender email address?
Apparently so, I didn't even change my name.
EDIT: You must not be using Google Apps for Your Domain because Google does not allow sender forging.
EDIT: Although it is fun to think of solutions ... Posterous could mail you back a link; when you hit the link the post goes live. Then you would clearly need control of the sending address to post. And the link could just go to the new article, which you'll likely want to look at anyway.
This is going to be a serious issue for Posterous if they ever go mainstream. Opt-in authentication schemes won't be enough to prevent scores of naive people from being humiliated the first time, particularly teenagers.
I realize the security implications of all of the latest Posterous musings. But the fact is if Posterous didn't allow you to disable this I'd stop using their service. Posterous knows this.
My use case for Posterous is my phone. It has a nice 8 megapixel camera, and with literally two clicks I can have a picture sent to my Posterous blog. Is it secure? Not at all. Is it extremely convenient and productive? Absolutely.
SPF solves almost all of the issue. Unique mailing addresses should be available for users who want it (yeah most people can handle an address book). The absence of those is just grossly incompetent.
What's different between the way they did it and the way you did it? I'm assuming they also simply changed their email address in their mail client to try to send to my account.
he was successful.
seriously, though, the difference probably is that you put more time and effort into creating a posterous that was more secure. something as simple as "create it using a difficult email address" should cover most bases. something that most people likely don't do.
This worked very well the day I played a prank on my boss - the boss had sent out an email forged to appear it came from a co-worker that was supposed to be funny but hurt the co-worker's feelings badly. Co-worker wanted revenge, so I created a "letter of resignation" that appeared to come from the boss and that appeared to have been sent to every member of our company - but was really only sent to the boss himself.
Co-worker later told me he saw the boss running from office to office trying to do "damage control" before he realized no one else had actually gotten the email.
Just registering the "usual" smtp sender / relay and prompting the user before posting something from a different spot could help. I don't know enough about MX records yet, but matching up the domain and sending IP could be another good measure. How else can this be improved?
Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
Posterous:email spoof detection PayPal:credit card fraud detection
See the section in Founders at Work on the value that better fraud detection created for PayPal.
The only other person so far to comment under the co-founder on this thread (at time of writing) is jseeba, who has had very little activity and one of the few comments he's ever made was in a thread called "Ask YC: Your favorite startups" where he said "Posterous. It just works." So jseeba doesn't do much around here in the 2 or so years he's been a member but made time to chime in for Posterous again.
A year or two later, I was interviewing at a company whose product has a similar feature (post todos more or less), and decided to see if I could post to my friends todo list. I was thinking that if I could, I'd post to the guy who was interviewing me's list "Hire Andrew--he exposed a hole." It didn't work on my friends account, and I got an email a couple of minutes later. "I see you were doing some fuzzing, were you able to get any messages through?" I wasn't able to (though I didn't try too hard), and I didn't get the job either. (I ended up with a better job, so it all worked out).
That would probably improve your security too.
Warning him would have been nice, this IS, by definition almost, malicious - regardless of how you chose to interpret the word yourself.
We were using posterous fairly often a while back, until my friend got into an argument with the posterous founder. He (my friend) had a few beers and then wrote a stupid message, basically saying that the posterous idea in general was bad (using different words :> ).
Then posterous founder replied saying he was banning my friend. We never found out if he actually followed through- because all of us (~15 guys) stopped using it completely the next day.
We, as users, have many options when choosing where to host our data, and we want services that are useful, secure, ethical, and beautiful.
http://charisma.posterous.com/
This one is not ready for us.