
How I "hacked" Dustin Curtis's Posterous. - robinduckett
I logged into my outlook, changed my email address to his email address, and sent the email to post@posterous.com.<p>Dustin mentioned in his article that he didn't require a password, and I wanted to see if he had used the confirmation skip.<p>Just wanted to apologise to Dustin about any inconvenience, but I do hope I opened his eyes to security a little!<p>EDIT: A little bit of backstory.<p>Dustin seems to think, that I did this because of a comment he made, on how the headers could be forged. I had not read this comment. Infact, I read his article, and using the knowledge that I picked up years ago, that you could change the outgoing email address in Outlook (Although, it was Outlook Express in them days) I changed my email to his email.<p>I saw his email on his website (hi@dustincurtis.com) and thought, "No, he wouldn't be sending his personal emails from that address, that's silly."<p>I checked the WHOIS on his domain, and saw another email address there. I changed my email, sent a quick "Apparently..." message, and then changed it back to my original email address. I checked his blog, and it didn't seem to work.<p>I then went to sign up for my own posterous, to play a bit more, and I saw that you had to authorise your posts. Then I saw how this could be disabled for convenience. A few minutes later and the post showed up.<p>I am a Web Developer, I have experience with bash scripting, curl, sendmail and everything else you would need to fake headers.<p>I did not fake headers, I changed one field in Outlook. I didn't do this maliciously, and I just did it to prove a point.<p>Posterous should not be using email alone to authorise posts, and they should not let you disable submission checking.
======
a4agarwal
Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security
hole is now fixed.

We had a specific problem with the way we dealt with SPF records. Dustin
didn't set any up, and there was a specific way that Robin Duckett's email
server responded that caused us to flag it as a false negative for spoofing.

For the vast majority of users who use gmail, hotmail or other services, this
was never an issue.

Since our launch on day one, we have taken email spoof detection very
seriously. It's one of our core differentiators: to be able to securely post
to your blog by emailing a single, easy to remember address. We don't want to
do secret addresses or secret words.

Over the past 2 years, we've developed robust spoof detection ip and spend a
ton of time trying to stay a step ahead of hackers. Fortunately, we've only
had a few very specific, isolated cases where one of our sites was spoofed and
each time we have improved our system.

Thanks for bringing this to our attention. We always need to be one step ahead
of the hackers/spoofers, and we thank the Hacker News community for keeping us
on our toes!

~~~
coderdude
Odd, the other Posterous threads are getting buried so quickly. When a new
comment is posted in any thread it appears at the top, except for these
Posterous threads. Is this damage control on the part of YC?

The only other person so far to comment under the co-founder on this thread
(at time of writing) is jseeba, who has had very little activity and one of
the few comments he's ever made was in a thread called "Ask YC: Your favorite
startups" where he said "Posterous. It just works." So jseeba doesn't do much
around here in the 2 or so years he's been a member but made time to chime in
for Posterous again.

~~~
adrianscott
This happened to me too when I submitted a link about Posterous. Not long
after it made it to the front page, the subject was changed to an inaccurate
and less attention-getting subject. Moderator power...

------
jgrahamc
I agree with the conclusion. Posterous could fix this problem by implementing
something like The Zucchini Method
([http://www.jgc.org/antispam/03152005-2150120647b00f4af9d3443...](http://www.jgc.org/antispam/03152005-2150120647b00f4af9d3443f97783bf2.pdf)
[PDF]). Basically, they could accept posts via email as long as the user
included some hard to guess word (or other token) in the subject line.

~~~
there
or do what flickr does and give you a unique email address to send to that
only you will know. you can add it to your address book so you won't have to
remember it, and it's probably stronger than what most users would choose for
a password.

~~~
russell_h
Such considerations might be overkill for flickr/posterous but that does leave
your "secret" email address in the logs of every smtp relay along the way. Its
sort of equivalent to putting a password in a URL.

~~~
InclinedPlane
"smtp relay along the way"?

This isn't UUCP, the message will go from A to B across the internet backbone.
There will only be SMTP relays along the way if either your email host or the
receiver's email host has chosen to set things up that way. We'd have a much
bigger problem with internet security if everyone's email was relayed through
questionable servers as a matter of course.

~~~
jrockway
Most residential DSL and cable users are prohibited from connecting to port
25, except on a special "smarthost". This machine, and anyone reading its
logs, will learn your blog password.

More secure than no password, but not secure.

~~~
olefoo
Fortunately most of the people who operate mail relays for ISPs are honest and
responsible.

------
jcromartie
If Dustin were a major corporation or a politician, you'd be talking to the
FBI and facing prosecution right now.

Nice hack, BTW.

~~~
robinduckett
Hardly a hack!

~~~
rubyrescue
it's a hack in the Bruce Schneier "easiest way to steal pancakes has nothing
to do with where money changes hands" sense...

 _Our goal is to eat, without paying, at the local restaurant. And we've got a
lot of options. We can eat and run. We can pay with a fake credit card, a fake
check, or counterfiet cash. We can persuade another patron to leave the
restraunt without eating and eat his food. We can impersonate (or actually
become) a cook, a waiter, a manage, or the restraunt owner (who might actually
be someone that few workers have ever met). We could snatch a plate off
someone's table before he eats it, or from under the heat lamps before the
waiter could get to it. We can wait at the dumpster for the busboy to throw
away the leftovers. We can pull the fire alarm and sneak in after everyone
evacuates. We can even try to persuade the manager that we're some kind of
celebrity who deserves a free breakfast, or maybe we can find a gullible
patron and tal her into paying for our food. We could mug someone, nowhere
near the restraunt, and buy the pancakes. We could forge a coupon for free
pancakes. And there's always the time-honored tradition of pulling a gun and
shouting, "Give me all your pancakes"._

~~~
jbrennan
You've made this celiac crave pancakes again. Bad.

~~~
xinsight
You can't tolerate glutin and you've never tried buckwheat pancakes? I find
them superior to normal wheat pancakes in every way.

~~~
jbrennan
Don't judge me.

~~~
xinsight
Sorry, my tone might have been off. What I meant was: Buckwheat pancakes don't
have glutin and are amazing. If you don't know about them, give 'em a try!

------
notaddicted
This is a clear example of "good enough." Low security for low value targets
-- if you need more you can get it. Setting a password, remembering a special
email address, not posting via blackberry/mobile, all of these add friction.

EDIT: Although it is fun to think of solutions ... Posterous could mail you
back a link; when you hit the link the post goes live. Then you would clearly
need control of the sending address to post. And the link could just go to the
new article, which you'll likely want to look at anyway.

~~~
olalonde
I second. I have some flowers outside my house and they never got stolen. I
think a lot of hackers overrate security just like a lot of nurses see
diseases everywhere.

------
city41
> and they should not let you disable submission checking

I realize the security implications of all of the latest Posterous musings.
But the fact is if Posterous didn't allow you to disable this I'd stop using
their service. Posterous knows this.

My use case for Posterous is my phone. It has a nice 8 megapixel camera, and
with literally two clicks I can have a picture sent to my Posterous blog. Is
it secure? Not at all. Is it extremely convenient and productive? Absolutely.

~~~
WiseWeasel
Maybe they could add a link in the confirmation email for 'never ask for
confirmation to post from this location', which would whitelist that
mailserver for posting without confirmation.

------
obvioustroll
Heh. Back when alternate email protocols were still common, it was my job to
help support the "smtp gateway" product for a large corporation. I got to the
point where I could forge emails by typing in SMTP by hand.

This worked very well the day I played a prank on my boss - the boss had sent
out an email forged to appear it came from a co-worker that was supposed to be
funny but hurt the co-worker's feelings badly. Co-worker wanted revenge, so I
created a "letter of resignation" that appeared to come from the boss and that
appeared to have been sent to every member of our company - but was really
only sent to the boss himself.

Co-worker later told me he saw the boss running from office to office trying
to do "damage control" before he realized no one else had actually gotten the
email.

------
icey
I feel like I'm missing something... Yesterday we were talking about the
protections on Posterous and I posted an invitation to try to post to a
Posterous I had set up (<http://news.ycombinator.com/item?id=1439376>). I got
a bunch of emails from Posterous as a result of people trying to fake post to
the account that I'd set up.

What's different between the way they did it and the way you did it? I'm
assuming they also simply changed their email address in their mail client to
try to send to my account.

~~~
noodle
> What's different between the way they did it and the way you did it?

he was successful.

seriously, though, the difference probably is that you put more time and
effort into creating a posterous that was more secure. something as simple as
"create it using a difficult email address" should cover most bases. something
that most people likely don't do.

~~~
icey
I put zero time into it. I created a brand new Posterous account, left
everything as the default and posted the email address tied to the account
here.

~~~
jaycee
I believe the default requires authorizing your posts. That may be the issue.

------
latj
Why we quit posterous:

We were using posterous fairly often a while back, until my friend got into an
argument with the posterous founder. He (my friend) had a few beers and then
wrote a stupid message, basically saying that the posterous idea in general
was bad (using different words :> ).

Then posterous founder replied saying he was banning my friend. We never found
out if he actually followed through- because all of us (~15 guys) stopped
using it completely the next day.

We, as users, have many options when choosing where to host our data, and we
want services that are useful, secure, ethical, and beautiful.

<http://charisma.posterous.com/>

This one is not ready for us.

------
martian
Does Posterous filter SEO spam? Otherwise this loophole seems like a perfect
opportunity for SEO spam to start filtering in on lapsed accounts that still
have some PageRank...

~~~
rantfoil
We do kill it and we're building a comprehensive spam killing system too. SEO
spam is not welcome on Posterous in the least.

------
frognibble
How does Posterous authenticate a message in the absence of DKIM or SPF
records in DNS? The domain dustincurtis.com does not have an SPF record and
DKIM is not supported by the mail host for dustincurtis.com(Google Apps for
your Domain).

I assumed that Posterous did something clever using the IP address of the SMTP
peer or the headers in the message. Does Posterous fallback to just checking
the sender email address?

~~~
robinduckett
> Does Posterous fallback to just checking the sender email address?

Apparently so, I didn't even change my name.

~~~
frognibble
Do you use Google Apps For Your Domain? If so, that might have foiled any IP
address checking because dustincurtis.com is also hosted there.

EDIT: You must not be using Google Apps for Your Domain because Google does
not allow sender forging.

------
shalmanese
All of you proposing obscure emails and other solutions, one of the reasons
posterous' founders claim for their success is that they explicitly did NOT do
any of those things. In fact, they're pretty clear that if they had done any
of those things, posterous would have failed.

------
drp
Hey, you left your door unlocked so I painted this sign on it to let everyone
know.

~~~
coderdude
That's what happens when you don't even have a door lock to begin with, then
go tell the whole world about it. (Dustin told the whole world about not
having a password. Not this guy.)

------
notphilatall
I was thinking about implementing a posterous-like email system for
calendaring, and was wondering how they authenticated the emails. I recall
them getting "hacked" around launch and there being some TC article about how
they responded swiftly by adding new security measures.

Just registering the "usual" smtp sender / relay and prompting the user before
posting something from a different spot could help. I don't know enough about
MX records yet, but matching up the domain and sending IP could be another
good measure. How else can this be improved?

------
guinness
E-mail provides no security. An e-mail can be forged simply by using telnet to
connect to and SMP server (usually your ISPs) and typing the appropriate
message (see wikipedia SMTP. The easiest fix for this is PGP as mentionned in
previous posts. This is, however, a horrible solution since it will alienate
many users (think your mother). The simplest solution that will do a good
enough job is to send back an e-mail to the user with a 'preview' of his post
for him to OK it since receiving e-mails is more secure.

~~~
ergo98
Which provides a great way to spam people. The preview idea sucks.

SPF solves almost all of the issue. Unique mailing addresses should be
available for users who want it (yeah most people can handle an address book).
The absence of those is just grossly incompetent.

------
some1else
It seems like a fault that wouldn't hurt the entire system, but it may cause a
dilemma similar to Facebooks design flaw, where disowned groups could be taken
under control - <http://mashable.com/2009/11/10/facebook-groups-hacked/>. As
with every such flaw, it's likely to start attracking spammers, and should be
dealt with in some way (Facebook seems to have disabled reclaiming ownership
of groups without admins?)

~~~
robinduckett
post+uniqueapikey@posterous.com

Would half fix this problem.

~~~
evandavid
or even post+memorableuniqueword@posterous.com

------
jheriko
You could have told him instead of being a jerk - I know from experience that
this doesn't work, say in the work place, where proving your point like this
is vital if you want to be heard - but for regular people this is basically an
attack. Worst of all you told everyone else how to do it...

Warning him would have been nice, this IS, by definition almost, malicious -
regardless of how you chose to interpret the word yourself.

------
code_duck
Sending email apparently from a particular address, as described, is so simple
I can't believe two things: 1, that Posterous was set up to let that happen
and 2, that in 2010, the email system is still so dumb that I can send mail
with any sender address that to the majority of people would be
indistinguishable from mail genuinely from the sending address.

------
mjijackson
Nice hack. You're going to spawn a whole new generation of hackers that uses
Outlook to wreak havoc. ;)

------
pavs
Its cute, but its not a hack.

~~~
robinduckett
Yeah I forgot my sarcasm airquotes.

------
coderdude
Why on Earth would anyone use the confirmation skip? That's basically security
through obscurity. Even less so if the email address you use is known by
people.

~~~
qjz
Interesting point, because it suggests that an email address that was kept
private and dedicated to Posterous posting could have prevented this attack.
So, is this weak security on the part of Posterous, or excellent social
engineering on the part of robinduckett? At the least, It's like he simply
asked the target for a password; at the most, it's like he found the spare
door key in the fake 7-Up can in the garden shed.

Note: Creating a "private" email address is beyond the capabilities of 75% of
the people I know, who believe that email addresses are exclusively created
and assigned by ISPs or employers. I doubt that Posterous will do anything to
alienate this group, who appear to be an important target audience.

~~~
rantfoil
Actually it was a bug, and its now fixed.

------
ergo98
Does Postereous not support SPF?

SPF tells you that the email really came from my server. That the email really
came from my server tells you that it's really me, as sending through my
server requires a password.

Sadly SPF is grossly underused.

~~~
eli
Sure, they could check SPF, but what if _your_ mail server doesn't support it?
Reject the message?

~~~
ergo98
If SPF isn't configured on the domain then it should simply go without that
safeguard (maybe forcing confirmations?). SPF is, however, a pretty good
indicator that the email is legitimate.

~~~
fizzfur
Yeah, as soon as I saw this post I thought of SPF and DomainKeys.

Seems simple:

If your mail/DNS is setup to support either of these, then cool you don't need
to confirm.

Else, you must "ok" each post.

DONE

------
jtth
Poll: hack Dustin Curtis's things every day? Yay? Nay?

