I heard allot of buzz around the security issues with diaspora, can someone summarize what they were?
+5
A:
They've since patched many of them, but really the whole project was a mess of nearly every web-based security exploit in the book. Here's a quick rundown of the problems from day one of their alpha code release:
- They never validated that a given user ever had permission to do anything. So while a user could go to
/image/123/delete/
to delete an image of their own (whose ID happened to be 123), they could just manually type in the URL/image/1/delete/
to delete the image with an ID of 1, even if that image wasn't their's. - They used a shortcut feature in Ruby on Rails that allows you to just mass assign POST'ed properties to a database table without validating that those properties were actually in the form. So while a profile update page might just have fields to change an avatar image and bio description, anyone with a little know-how could fiddle with the POST data before it was sent to the server and also send along column/value pairs like username, password, session ID, etc. Combine that with point #1 where you can just modify anyone's data if you know the URL, and you can set anyone's private information to whatever you want.
- They used MongoDB for their backend. For the uninformed, Mongo uses Javascript for some of its querying capabilities. They took raw search query strings and just executed them against their Mongo backend, which would allow anyone sending well-formed Javascript as a query to do really whatever they wanted with the database.
If you're curious about the technical details, feel free to educate yourself.
Pewpewarrows
2010-10-05 20:58:47