note to self and everyone else

Mar. 3rd, 2010 07:35 pm
[personal profile] rm
You know when you get comment notifications?

You ever have the urge to just forward the comment to someone instead of digging around for the URL?

Don't do that.

Because if they're not paying attention instead of replying to you, they will type into the "reply to comment window" and then they will post as you.

This public service announcement brought to you by *Head* and *Desk*.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2010-03-04 12:43 am (UTC)
From: [identity profile] cozzene.livejournal.com
that's a rather inconvenient/possibly embarrassing glitch.

Date: 2010-03-04 01:13 am (UTC)
From: [identity profile] rm.livejournal.com
Welcome to my Wednesday.

Date: 2010-03-04 12:45 am (UTC)
From: [identity profile] firinel.livejournal.com
whoa, isn't that an enormous security breach? *boggles*

Date: 2010-03-04 12:46 am (UTC)
From: [identity profile] sixteenbynine.livejournal.com
HOLY CRAP MAJOR SECURITY VIOLATION.

I write web apps on the side. One of my programming mentors was and is a guy who works on electronic voting security, so I've kind of had it drilled into me that you don't want to use things like temporary security tokens in a context like this.

Major, major, MAJOR security violation. I hope to god this is something that was introduced recently and not some glitch that's been floating around since before Nixon was in the White House or something.

Date: 2010-03-04 02:42 am (UTC)
From: [identity profile] maryling.livejournal.com
No, it's been around for years. Happened to me several years back.

Date: 2010-03-04 04:29 am (UTC)
marcmagus: (regexp)
From: [personal profile] marcmagus
They seriously haven't fixed this yet? Grrrr!

Date: 2010-03-04 12:49 am (UTC)
From: [identity profile] bodlon.livejournal.com
Not only that, but testing it, it does not do useful Gmail things like asking if you mean to submit to an external page.

Methinks I need to point my contacts who work with LJ to this issue...

Date: 2010-03-04 03:03 am (UTC)
azurelunatic: Vivid pink Alaskan wild rose. (Default)
From: [personal profile] azurelunatic
I reported it (as a volunteer) last year, coincidentally about fifteen minutes before I threw my annual temper tantrum about security by obscurity.

It's Known. I'm not sure how *well*-known (lots of people use the plain text notifications, and this is not a problem with the plain text notifications) but it's Known. I'll look-see if it's in the volunteer side of the bug-tracker, and if it is, I can ping so that they are aware that it is far less obscure than it was just a bit ago.
Edited Date: 2010-03-04 11:56 am (UTC)

Date: 2010-03-04 01:15 pm (UTC)
From: [identity profile] bodlon.livejournal.com
It's interesting that this is a Known. Since making a post about it I've looked around some and seen others testing it. So it's not just a Known, it's a confirmed and quite well-functioning Known.

Which is kind of wild-ass scary.

I can see how it is useful - if one has multiple accounts and wants to be able to reply to things quickly, or if one wishes to reply without being logged in, etc. I just think perhaps that it's kind of a creepy work-around in those areas.

If it's intentional in that it's a feature, rather than a bug, it may be helpful to make the issue more explicitly known to users. A reminder at the top of Rich Text notifications, for example, might be useful.

Date: 2010-03-04 01:27 pm (UTC)
azurelunatic: Vivid pink Alaskan wild rose. (Default)
From: [personal profile] azurelunatic
I was quite vigorously unhappy when I ran into it last year.

I started some pinging up the proper lines of communication, although I'm not sure when the relevant portions of staff are expected to actually be awake/on duty, nor what priority it's going to get assigned.

Date: 2010-03-04 03:51 pm (UTC)
From: [identity profile] newsbean.livejournal.com
So, how do we turn on plain text notifications?

Date: 2010-03-04 04:21 pm (UTC)
From: [identity profile] newsbean.livejournal.com
Thank you!

Date: 2010-03-04 12:56 am (UTC)
From: [identity profile] eac.livejournal.com
...that would never have occurred to me -- and it does seem like a bad security glitch.

Date: 2010-03-04 12:56 am (UTC)
From: [identity profile] 51stcenturyfox.livejournal.com
Thanks for the tip, but... LOL at this. How bizarre that LJ would do that. I believe the behavior should ideally be that you would reply as your own logged-in username, as you would when following a simple link or (less desirable) get an error.

I don't reply from email. Ever!

Date: 2010-03-04 05:38 am (UTC)
From: [identity profile] phaetonschariot.livejournal.com
I don't just because I like picking my icon...

Date: 2010-03-04 05:44 am (UTC)
From: [identity profile] 51stcenturyfox.livejournal.com
Yeah, that's the actual real reason. :)

Date: 2010-03-04 01:14 am (UTC)
From: [identity profile] tlatzomia.livejournal.com
O_o

Date: 2010-03-04 01:27 am (UTC)
sethg: a petunia flower (Default)
From: [personal profile] sethg
If you do “view source” on the comment notification message, does your LJ password appear embedded in the HTML?

Date: 2010-03-04 01:29 am (UTC)
From: [identity profile] rm.livejournal.com
Good question! And I just checked. It doesn't.

Date: 2010-03-04 06:15 am (UTC)
afuna: Cat under a blanket. Text: "Cats are just little people with Fur and Fangs" (Default)
From: [personal profile] afuna
The comment form uses a generated security token; your password is never sent in the clear (I hope that helps ease some concerns!)

Date: 2010-03-04 01:31 am (UTC)
From: [identity profile] kdsorceress.livejournal.com
I...just...really?

_really?!_

I gotta go try some stuff, backsoon!

~Sor

Date: 2010-03-04 01:35 am (UTC)
ext_68028: nine_rose_fantasy (DT_HA)
From: [identity profile] nonlinearmusing.livejournal.com
Whoa! That's good to know albeit slightly embarrassing. *snickers*

Date: 2010-03-04 01:42 am (UTC)
From: [identity profile] sorcyress.livejournal.com
(hahahahah, I totally got confused when I forwarded it to my sorcyress gmail addy and it appeared in my kdsorceress inbox. Yay for automatic e-mail forwarding!)

OKAY! So, I just tried that --I logged in as Sorcyress and left a comment on kdsorceress's livejournal. I then went to the e-mail, forwarded the "sorcy has left a comment on kds's entry" to another account, and went to the reply box. I babbled some stuff, and hit send.

When I hit send, I was logged in on livejournal as Sorcyress. However, the comment that was posted does indeed appear to be from kdsorceress. This is the most fiendish!

Gmail was at least kind --it gave me two pop-ups, the first telling me I was submitting to an external page, and the second informing me that "This form will be sent in a way that is not secure. Are you sure you want to send it?" So, presumably if it was a true accident, you would notice those pop-ups, unless they don't pop-up, like bodlon was saying.

Which, presumably if you reply to comments from the e-mail a lot, you'd have figured out how to shut those pop-ups up already.

Soyeah. This is neat, I want to know more!

~Sor

Date: 2010-03-04 05:39 am (UTC)
From: [identity profile] phaetonschariot.livejournal.com
Or there's people like me who download their mail via POP3 to a program on their computer.

Date: 2010-03-04 01:45 am (UTC)
From: [identity profile] dr-is-in.livejournal.com
Just tested it out with the help of a friend....it does do it. Its not just a one time glitch. Thats a major security issue I hope LJ doesnt just ignore.

Date: 2010-03-04 03:33 am (UTC)
From: [identity profile] amberite.livejournal.com
Gargh WHUT.

Yeah, security fail.

Date: 2010-03-04 04:05 am (UTC)
From: [identity profile] copperbadge.livejournal.com
Interestingly, I helped someone test this same glitch on Dreamwidth a while back, and we couldn't get it to work. We know it HAS happened on DW, because that's why she had me test it, but when we tried to re-create it, I continually got a "not authorised" message.

Sorry that happened to you -- I hope both you and your friend won't get too much crap for it.

Date: 2010-03-04 06:15 am (UTC)
afuna: Cat under a blanket. Text: "Cats are just little people with Fur and Fangs" (what does this button do)
From: [personal profile] afuna
It was on DW as well, but we fixed it a while back -- sounds like the fix went out between the time your friend ran into it and the time you tried it.

Date: 2010-03-04 05:12 pm (UTC)
From: [identity profile] copperbadge.livejournal.com
Well, there you have it then :) That's likely what happened. One more thing to add to my impending essay about Dreamwidth's inherent moral superiority to LJ.

Date: 2010-03-04 04:45 am (UTC)
From: [identity profile] darthhellokitty.livejournal.com
Hel-loooo prank potential!

(Not that I would do that.)

Date: 2010-03-04 05:54 am (UTC)
From: [identity profile] wordweaverlynn.livejournal.com
Argh, what a nightmare!

Date: 2010-03-04 06:50 am (UTC)
From: [identity profile] eumelia.livejournal.com
Oh my word. That's... I'm a bit speechless here.

This is a major security nightmare! A nightmare! My paranoia has just flared up...

Date: 2010-03-04 12:01 pm (UTC)
From: [identity profile] woogledesigns.livejournal.com
The URL is right there in the email for me as- "View the thread starting from this comment". So I never have to dig at all for the URL? But LJ should really fix that- I mean it can't be that hard to track the email account the form is coming from and check it against your email preferences, right?

Date: 2010-03-04 01:42 pm (UTC)
sethg: a petunia flower (Default)
From: [personal profile] sethg
This would protect against accidents, but not malice; email headers are easy to forge.

Date: 2010-03-04 01:10 pm (UTC)
From: [identity profile] girlofavalon.livejournal.com
Forwarding a comment to someone is an idea that would never have ocurred to me, but I am sorry this happened to you.

Date: 2010-03-04 05:54 pm (UTC)
From: [identity profile] smirnoffmule.livejournal.com
Eek. That is alarming and sucky. Has someone let LJ know?

Date: 2010-03-04 06:11 pm (UTC)
From: [identity profile] coriander.livejournal.com
Oops!

Date: 2010-03-05 01:21 am (UTC)
From: [identity profile] kylecassidy.livejournal.com
I talked to LJ and posted an update over here (http://kylecassidy.livejournal.com/585577.html).

Date: 2010-03-05 01:49 am (UTC)
arethinn: glowing green spiral (Default)
From: [personal profile] arethinn
...

I didn't know you could post by replying to an email (aside from the special "post by email" setup where you send to a special address or something).

Maybe I'm not understanding what "reply box" is being talked about here?

Date: 2010-03-05 02:22 am (UTC)
From: [identity profile] rm.livejournal.com
If you receive HTML comment norifications to an email account that can support it, you get a "reply to comment" box -- I am, in fact, using one right now.

Date: 2010-03-05 02:12 am (UTC)
From: [identity profile] butterbuns.livejournal.com
It's awesome when someone's banned from a comm or doesn't want their name attached to wank, however :P

Date: 2010-06-11 12:35 am (UTC)
From: [identity profile] stardragonca.livejournal.com
OY! Thanks for the heads up!
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

rm
IMDB

February 2021

S M T W T F S
 123456
789 10111213
14151617181920
21222324252627
28      

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 15th, 2026 09:45 pm
Powered by Dreamwidth Studios