note to self and everyone else

[rm]

You know when you get comment notifications?

You ever have the urge to just forward the comment to someone instead of digging around for the URL?

Don't do that.

Because if they're not paying attention instead of replying to you, they will type into the "reply to comment window" and then they will post as you.

This public service announcement brought to you by *Head* and *Desk*.

Comments

[cozzene.livejournal.com]

that's a rather inconvenient/possibly embarrassing glitch.

[rm.livejournal.com]

Welcome to my Wednesday.

[firinel.livejournal.com]

whoa, isn't that an enormous security breach? *boggles*

[sixteenbynine.livejournal.com]

HOLY CRAP MAJOR SECURITY VIOLATION.

I write web apps on the side. One of my programming mentors was and is a guy who works on electronic voting security, so I've kind of had it drilled into me that you don't want to use things like temporary security tokens in a context like this.

Major, major, MAJOR security violation. I hope to god this is something that was introduced recently and not some glitch that's been floating around since before Nixon was in the White House or something.

[maryling.livejournal.com]

No, it's been around for years. Happened to me several years back.

[marcmagus]

They seriously haven't fixed this yet? Grrrr!

[bodlon.livejournal.com]

Not only that, but testing it, it does not do useful Gmail things like asking if you mean to submit to an external page.

Methinks I need to point my contacts who work with LJ to this issue...

[azurelunatic]

I reported it (as a volunteer) last year, coincidentally about fifteen minutes before I threw my annual temper tantrum about security by obscurity.

It's Known. I'm not sure how *well*-known (lots of people use the plain text notifications, and this is not a problem with the plain text notifications) but it's Known. I'll look-see if it's in the volunteer side of the bug-tracker, and if it is, I can ping so that they are aware that it is far less obscure than it was just a bit ago.

[bodlon.livejournal.com]

It's interesting that this is a Known. Since making a post about it I've looked around some and seen others testing it. So it's not just a Known, it's a confirmed and quite well-functioning Known.

Which is kind of wild-ass scary.

I can see how it is useful - if one has multiple accounts and wants to be able to reply to things quickly, or if one wishes to reply without being logged in, etc. I just think perhaps that it's kind of a creepy work-around in those areas.

If it's intentional in that it's a feature, rather than a bug, it may be helpful to make the issue more explicitly known to users. A reminder at the top of Rich Text notifications, for example, might be useful.

[azurelunatic]

I was quite vigorously unhappy when I ran into it last year.

I started some pinging up the proper lines of communication, although I'm not sure when the relevant portions of staff are expected to actually be awake/on duty, nor what priority it's going to get assigned.

[newsbean.livejournal.com]

So, how do we turn on plain text notifications?

[azurelunatic]

http://www.livejournal.com/manage/settings/?cat=display In the "Email Format" thing right there.

[newsbean.livejournal.com]

Thank you!

[eac.livejournal.com]

...that would never have occurred to me -- and it does seem like a bad security glitch.

[51stcenturyfox.livejournal.com]

Thanks for the tip, but... LOL at this. How bizarre that LJ would do that. I believe the behavior should ideally be that you would reply as your own logged-in username, as you would when following a simple link or (less desirable) get an error.

I don't reply from email. Ever!

[phaetonschariot.livejournal.com]

I don't just because I like picking my icon...

[51stcenturyfox.livejournal.com]

Yeah, that's the actual real reason. :)

[tlatzomia.livejournal.com]

O_o

[sethg]

If you do “view source” on the comment notification message, does your LJ password appear embedded in the HTML?

[rm.livejournal.com]

Good question! And I just checked. It doesn't.

[afuna]

The comment form uses a generated security token; your password is never sent in the clear (I hope that helps ease some concerns!)

[kdsorceress.livejournal.com]

I...just...really?

_really?!_

I gotta go try some stuff, backsoon!

~Sor

[nonlinearmusing.livejournal.com]

Whoa! That's good to know albeit slightly embarrassing. *snickers*

[sorcyress.livejournal.com]

(hahahahah, I totally got confused when I forwarded it to my sorcyress gmail addy and it appeared in my kdsorceress inbox. Yay for automatic e-mail forwarding!)

OKAY! So, I just tried that --I logged in as Sorcyress and left a comment on kdsorceress's livejournal. I then went to the e-mail, forwarded the "sorcy has left a comment on kds's entry" to another account, and went to the reply box. I babbled some stuff, and hit send.

When I hit send, I was logged in on livejournal as Sorcyress. However, the comment that was posted does indeed appear to be from kdsorceress. This is the most fiendish!

Gmail was at least kind --it gave me two pop-ups, the first telling me I was submitting to an external page, and the second informing me that "This form will be sent in a way that is not secure. Are you sure you want to send it?" So, presumably if it was a true accident, you would notice those pop-ups, unless they don't pop-up, like bodlon was saying.

Which, presumably if you reply to comments from the e-mail a lot, you'd have figured out how to shut those pop-ups up already.

Soyeah. This is neat, I want to know more!

~Sor

[phaetonschariot.livejournal.com]

Or there's people like me who download their mail via POP3 to a program on their computer.

[dr-is-in.livejournal.com]

Just tested it out with the help of a friend....it does do it. Its not just a one time glitch. Thats a major security issue I hope LJ doesnt just ignore.

[amberite.livejournal.com]

Gargh WHUT.

Yeah, security fail.

[copperbadge.livejournal.com]

Interestingly, I helped someone test this same glitch on Dreamwidth a while back, and we couldn't get it to work. We know it HAS happened on DW, because that's why she had me test it, but when we tried to re-create it, I continually got a "not authorised" message.

Sorry that happened to you -- I hope both you and your friend won't get too much crap for it.

[afuna]

It was on DW as well, but we fixed it a while back -- sounds like the fix went out between the time your friend ran into it and the time you tried it.

[copperbadge.livejournal.com]

Well, there you have it then :) That's likely what happened. One more thing to add to my impending essay about Dreamwidth's inherent moral superiority to LJ.

[darthhellokitty.livejournal.com]

Hel-loooo prank potential!

(Not that I would do that.)

[wordweaverlynn.livejournal.com]

Argh, what a nightmare!

[eumelia.livejournal.com]

Oh my word. That's... I'm a bit speechless here.

This is a major security nightmare! A nightmare! My paranoia has just flared up...

[woogledesigns.livejournal.com]

The URL is right there in the email for me as- "View the thread starting from this comment". So I never have to dig at all for the URL? But LJ should really fix that- I mean it can't be that hard to track the email account the form is coming from and check it against your email preferences, right?

[sethg]

This would protect against accidents, but not malice; email headers are easy to forge.

[girlofavalon.livejournal.com]

Forwarding a comment to someone is an idea that would never have ocurred to me, but I am sorry this happened to you.

[smirnoffmule.livejournal.com]

Eek. That is alarming and sucky. Has someone let LJ know?

[coriander.livejournal.com]

Oops!

[kylecassidy.livejournal.com]

I talked to LJ and posted an update over here (http://kylecassidy.livejournal.com/585577.html).

[arethinn]

...

I didn't know you could post by replying to an email (aside from the special "post by email" setup where you send to a special address or something).

Maybe I'm not understanding what "reply box" is being talked about here?

[rm.livejournal.com]

If you receive HTML comment norifications to an email account that can support it, you get a "reply to comment" box -- I am, in fact, using one right now.

[butterbuns.livejournal.com]

It's awesome when someone's banned from a comm or doesn't want their name attached to wank, however :P

[stardragonca.livejournal.com]

OY! Thanks for the heads up!