

Thoughts on the Posterous hack - prabodh
http://blog.dustincurtis.com/thoughts-on-the-posterous-hack

======
a4agarwal
Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security
hole is now fixed.

We had a specific problem with the way we dealt with SPF records. Dustin
didn't set any up, and there was a specific way that Robin Duckett's email
server responded that caused us to flag it as a false negative for spoofing.

For the vast majority of users who use gmail, hotmail or other services, this
was never an issue.

Since our launch on day one, we have taken email spoof detection very
seriously. It's one of our core differentiators: to be able to securely post
to your blog by emailing a single, easy to remember address. We don't want to
do secret addresses or secret words.

Over the past 2 years, we've developed robust spoof detection ip and spend a
ton of time trying to stay a step ahead of hackers. Fortunately, we've only
had a few very specific, isolated cases where one of our sites was spoofed and
each time we have improved our system.

Thanks for bringing this to our attention. We always need to be one step ahead
of the hackers/spoofers, and we thank the Hacker News community for keeping us
on our toes!

~~~
ergo98
Great that you responded to the issue.

>We had a specific problem....

Most of the people here work in technology. Your response sounds a bit hand-
wavy, as if you're alluding to some great complexity when the described "hack"
is so incredibly rudimentary it would be the first thought of anyone making
such a solution. The parts in this mechanism are trivial.

We've all done the "well...the packets they..uh...confluence of...ECC..."

>trying to stay a step ahead of hackers

Be wary of false confidence. I would wager that you've stayed a step ahead
simply because you haven't gotten their attention yet. It's a classic "low
security", non-scalable start-up approach. A "we'll deal with that once we're
big enough that people notice it" approach.

>Over the past 2 years, we've developed robust spoof detection ip

Beyond using SPF and DomainKeys, I would be surprised if you have anything
that could accurately get called "IP" in the realm of email. It's a long, long
trodden ground.

------
jgrahamc
Posterous actually has a nasty security hole which allows you to get the email
address for any posterous which the user has not claimed.

Here's a posterous I just created: <http://john-tfk88.posterous.com/> that I
have not claimed.

The 'Claim this site' link goes to
[http://posterous.com/main/register?hash=Bu5fX3lRT2rYPURl7axZ...](http://posterous.com/main/register?hash=Bu5fX3lRT2rYPURl7axZ1Y3SpHNnCWxOt4p8Kewa8zWUiiTwkV8S2YEHwTL6)

If you view source that you'll find that my email address is 'hidden' in the
page:

    
    
      <input id="user_mail" name="user[mail]" type="hidden" value="jgc@jgc.org" /> 
    

So, for any unclaimed posterous you can programmatically go to the owner's
email address. A nice hack would be to grab the email address of newly created
posterous accounts, wait for them to be claimed (or not) and then started
spamming them. Yay!

Oh look:
[http://www.google.co.uk/search?hl=en&q=%22claim+this+sit...](http://www.google.co.uk/search?hl=en&q=%22claim+this+site%22+site:posterous.com&aq=f&aqi=&aql=&oq=&gs_rfai=)

~~~
a4agarwal
Hey guys. I'm the cofounder of Posterous.

We have looked into this issue and have confirmed this is not a security hole.
No personal information is revealed to users other than through obscure links
that are only available to the true site owner.

This url is only available:

1\. In the emails we send to users to claim their site. So only the true owner
receives these 2\. On the Posterous site itself but only when we know it's the
site owner (based on cookies and other tests)

That Google search does include a bunch of unclaimed sites. However, none of
those sites will include the secret hash, and therefore none will expose the
email address.

The fact that we include the email address in the form is definitely odd, and
we're removing that now. But nonetheless, it's only visible to the person who
created that site, behind obscure URLs.

We're very confident in the system we have built. While making things super
simple for the common user, we never forget that our users care a lot about
keeping their information secure.

Thanks for bringing this to our attention. We always need to be one step ahead
of the hackers/spoofers, and we thank the Hacker News community for keeping us
on our toes!

~~~
jgrahamc
Ah. I should have double checked that. What's the emoticon for 'red
face'/ashamed?

I'll leave my original post intact as an example of what happens when you get
3 hours sleep and then shoot your mouth off.

------
wdewind
"As a user, I fully accept it. <http://blog.dustincurtis.com> has received
almost a million pageviews in the past year, and this is the first time this
has ever happened. And It happened because I provoked it in an extremely
popular article was posted to a community of hackers. To be honest, I expected
someone to try this."

as an EDUCATED user YOU accept it, i'm not sure most of the posterous users
understand and would make the same decision to user posterous if they did.

this is like saying car companies could sell shitty locks on their cars
because they mostly wont be tested anyway, and the driver will have an easier
time getting into the car. it's VERY unlikely my mothers car will be broken
into just statistically speaking, but hey even if it happens its just one
person. not a big deal.

im pretty sure if posterous made it clear how easy this is many users would
stay away, just like many people would not buy toyotas if they came with
shitty locks, no matter how little they expected to be broken into.

~~~
dcurtis
If someone steals your car, you're out many thousands of dollars and extremely
inconvenienced.

If some random idiot posts a link to a Nigerian scam on your blog, you just
delete it and get on with your life.

~~~
wdewind
maybe to you it doesn't matter, but these things can be intensely personal to
people. it's still an issue of violating your space (to the layman end user, i
know the technical definitions of "your space" are nebulous, im talking about
the emotional ones that i think posterous is kind of violating).

and what happens when the idiot who posts the nigerian scam on your blog scams
your mother who is reading your blog and assumes it's from you? no big deal?
move on with your life? try and be a little imaginative with the things that
could be done here...

if it's not a big deal, posterous should make it clear to users what they give
up for convenience. again, i really don't think users would make the same
choice they are to user posterous if they understood the implication. whether
or not it matters to you.

and more importantly, there are a ton of people suggesting pretty viable
alternatives that wouldn't make it harder to post and would still allow a lot
more security.

~~~
rantfoil
Appreciate the concern, and we hear you. We're still investigating this
particular case. Normally we'll catch these types of spoofed emails. What we
need to do is refine our system.

To be honest, we haven't had many complaints about spam emails or spoofs -- it
literally never happens, otherwise we would hear about it all the time. We
answer every help email we get -- so we have a decent idea of what our users
care about and what pains they really see.

If trust is an issue, we will fix it.

~~~
ergo98
>To be honest, we haven't had many complaints about spam emails or spoofs

Because you're below most people's radar. Compared to blogger or anything
similar, you barely measure.

So essentially you are practicing security through obscurity.

Of course we know that is foolhardy.

------
Tichy
Of course somebody is interested in spamming his mother's blog. A script
doesn't care whose blog it spams. Now that the word is out, I expect it will
only be a matter of time until such scripts emerge.

It's the typical false assumption non-technical users have about security: who
would be interested in hacking me anyway? Automated scripts, that is who.

Also, how are the email posts interpreted by posterous - is it possible to
post custom html snippets and javascripts via email? This would be scammer's
heaven, as they could probably even hide that a blog has been spammed.

------
ique
He says there is no interest to post to his moms posterous, but is that really
true?

I can imagine quite a lot of spammers who would love to have a blog-post on an
otherwise reputable blog. If spammers manage to abuse this system they could
get their blogposts, filled with links and instructions to buy medication, all
over all posterous blogs.

~~~
lhorie
I remember reading somewhere about the abysmal conversion rates that spammers
get (it was something like 1 in 12 million or something like that).

So, you'd need some 12 million blog posts that look real enough to fool a
user's reader to get one conversion.

And it's not like Posterous isn't aware of the insecure nature of email. As
some have suggested, they can just turn on pre-approval of submissions and
this whole thing would be moot.

Put it another way: if you were to compete against them, would you create a
blog-by-email service that focuses on being secure? Or ease of use? I imagine
the latter has a lot more value to users. As Schneier always says, security is
all about trade-offs and choosing to handle "what-if" scenarios tend to be
less nice than handling "this-is-what-is-going-on-for-real" scenarios

~~~
tkaemming
Regarding conversion rates, people have been trained to distrust email, but
the same isn't necessarily true for blogs. If a spammer put together a well-
worded "spam" message — especially if it's something people write about all of
the time, like electronics, music or book reviews, etc. — it's not
unreasonable to expect conversion rates would be much higher.

~~~
lhorie
FWIW, anyone who hangs around blogs knows a spam comment when they see one.
I'd imagine that it's even harder to make a fake blog post believable, since
it's easier to wing something like: "yeah I agree [link to fishy site]" than
it is to make a well-written post (especially if it needs to be generic enough
to pass as legitimate in 12 million different blogs...)

------
sramov
Simple. Create an email alias (spacemuffinftw) just for Posterous and post
with that, making it your password in a way.

 _Edit_ : Seen in other comments -- cool thing would be for Posterous to
support _SPF_. Definitely techie oriented and not for general folks, but in a
system like Posterous, it should be baked in from day one. It would protect
quite a bit of folks while majority of them not even realizing or even knowing
what SPF is.

~~~
rantfoil
SPF is already baked in. You can't set up an email account without
understanding the ins and outs of that stuff. It is one part of an arsenal.

~~~
sramov
Nice to know Posterous checks SPF records amongst other checks! Do you also
check IN SPF records or just IN TXT? From my experience, the actual SPF record
type is seldom used. For my personal domain, I only use SPF and do not publish
TXT at all -- dnscog.com thinks I don't have SPF record published, oh the
irony of them (Dyn Inc) being the DNS force and all.

------
Aaronontheweb
Here's the deal - as soon as your blog reaches any level of popularity, people
are going to want to deface it / hack it any way they can just because it's
that much bigger of a prize. If Posterous is this easy to hack, once you have
a decent sized blog you're going to have a constant field day until they
implement something better.

If you want to keep security simple enough that it doesn't strangle the
service then hand out a unique email like post-45h231sxax23s1@posterous.com
and have the user add that to their address book - viola, you've managed to
add a layer of obscurity to posterous' posting mechanism at least, even though
it's still not really a strong one.

~~~
DanielStraight
Apparently not, because his blog had "any level of popularity" long before it
was hacked. Since this is the first I've ever heard of a Posterous hack,
clearly it's not true that all decent sized blogs are being hacked constantly.

On the surface, what you say makes sense, but the real life data doesn't back
it up.

Compare to:
[http://www.schneier.com/blog/archives/2010/05/why_arent_ther...](http://www.schneier.com/blog/archives/2010/05/why_arent_there.html)

~~~
Aaronontheweb
Way to totally put up a strawman argument. I did not argue that all popular
blogs are ALWAYS being hacked constantly - I just said that it's that much
bigger of a prize and people are going to give it a shot, and if the blog
system is this easy to hack, you're going to have to regularly (perhaps I
should have used regularly instead of constantly, given that a lot of people
on this board, like you I suspect, have a bad habit of taking things too
literally) deal with hacks.

------
DavidBishop
1) Why can I not comment on the actual post? That's a little disconcerting.

2) I don't understand the need to post by e-mail. What does that gain me? Is
there any use in that other than gimmick? Wouldn't a nice site offer me more
chances for formatting, etc? What is the difference between typing info into a
site and into an e-mail? What is the benefit? Can't a site be easier to use
than e-mail?

3) Security is not a concern? I hope you are happy with the size of your
company since it can not grow, because once you become any kind of force in
the market, you will have to deal with things that you may not have to deal
with now.

If you can't think of any scenarios in which this is a problem, let me
enlighten you: \- Lawsuits because an angry ex/employee/anyone posts items on
a blog. (Yes, this can happen with other systems, but a lack of security is
different from being hacked/people stealing passwords, etc). \- Competitors
who want to cause you problems. \- Unhappy customers who find their site
"hacked" including support time and money. Now that the "hack" is discovered,
expect more. Security through ignorance is gone once the ignorance is gone.

When you ignore warning signs because nothing bad has happened YET, get ready.
Look at BP. Over 700 violations they shrugged off because it didn't affect
them. Now it does and their stock, company name, and the well-being of many
they affected is in the toilet.

This is your wake up call. Listen to it: don't ignore it. Security matters.

~~~
rantfoil
We hear you. Listen, security is a super important piece of our product. And
we wake up in the morning and go to sleep at night thinking about product.

------
ajg1977
Posterous could offer a really simple, and optional, security option by
disabling auto-posting unless your email includes a secret key. E.g. you would
have to write 'passkey=tomato' somewhere in your email.

If the email doesn't include the passkey, the user would receive a "click link
to publish" email.

Simple.

------
biggitybones
I think his argument comes off as too utopian for me to accept. Like everyone
else has said, of course people will want to exploit an easy loophole on
someone who has a bit of exposure.

I think Posterous hasn't grown to a point where they have to worry about it
yet, but look at the exploits on Wordpress. They're much more advanced and
hackers continually attempt to break in for fun or for abusive reasons. It's
naive to assume that you can simply keep this convenience as a security trade
off as the product gains the attention of the world.

~~~
rantfoil
That's the thing -- it's not an "easy" loophole. Like any arms race, every
website is in competition with its foils -- scammers, phishers, spammers and
their ilk.

I disagree that it's not possible to stay ahead of them. That's our job.

------
GavinB
The real danger here isn't spam, it's false flag attacks.

If something offensive appears on your posterous under your name, will anyone
believe you when you claim it's a hack?

On the other hand, maybe it provides a convenient excuse if you post something
dumb and want to disown it . . .

~~~
JoeAltmaier
A picture of Mohammed perhaps...

------
lhorie
<http://news.ycombinator.com/item?id=1442163>

The compromise I suggested here addresses both concerns (ease of use and
security)

------
samdk
My email address is of the form firstname@lastname.com, and I got around this
issue by creating an alias for sending in Gmail that's
firstname+randomstring@lastname.com. As a security measure it's not perfect,
but it's not something someone's just going to be able to guess.

That solves the issue for me, but not for most (less tech-savvy) people. I
think what Posterous needs is the ability to require confirmation by email
when a post is made by email. I get that you can do this by setting your blog
to 'anyone can post', but that seems counterintuitive, and most people don't
understand how easy it is to spoof emails. As long as the confirmation can be
done by email, I don't think it'd be much of an inconvenience.

------
mike-cardwell
I care about my reputation, therefore I would not use Posterous.

There's nothing stopping Posterous keeping it working exactly the same way,
but providing an additional layer of protection for users who want to lock
down their blog.

1.) Don't publish emails unless they passed DKIM

2.) Don't publish emails unless they passed SPF

3.) Don't publish emails unless they contain a secret password

4.) Don't publish emails unless they're signed with my PGP key.

Any of the above would be enough. It's all about choice.

~~~
rantfoil
We do a mix of these things. In this specific case, it failed. We're
investigating.

~~~
mike-cardwell
Cool. Would it be possible for me as a user to specify that only PGP signed
emails should be auto-posted, and everything else should be subject to a
confirmation email?

That would be the ideal scenario for me personally...

~~~
rantfoil
That's a good idea. What I want is some end-user-friendly PGP-like solution.
If it existed in a form that we knew millions of users already were used to
using, or that we could roll out -- we would do it in a heartbeat.

Have to think about normals on it though. It's not good enough to think about
tech savvy people like us.

But for those who care, it might be the best way. Thanks.

------
alextp
An interesting thing posterous could to is send the user a (daily? weekly?)
email "reminding" him of the blog, and making it so that just replies to that
email count as posts. This lets them even change the GUID for each user if
they think it has been compromised.

------
twalling
Sounds like a security issue to me.

------
jrussbowman
couldn't they do something like the email address is
yourusernameatyourdomain.comandanextrabityoutset@posterous.com which would be
an id you could remember?

~~~
sjs382
or just a random noun@posterous.com? Or make it user-configurable?

~~~
jrussbowman
or both... assign a random GUID, and then allow the user to set it something
they want if they choose. That's probably the simplest way, and of course the
simpler the better for both development and security.

~~~
axod
Surely the easiest way would be to require you put your password somewhere in
the body of the email.

eg:

    
    
      Hi this is an example blog post
      I'm gonna see if this works
      ys8uc99p

~~~
sjs382
I think that putting a password inside the post field (the email body) could
lead to some issues. :)

------
jeremymcanally
Uhm you don't have to have an epic GUID e-mail address. Just pair it with your
e-mail. So let the user set it to whatever they can remember (their name
backwards and ROT13'd, whatever, so long as it's unique) and only accept posts
to that address from their verified e-mail. That would at least curb some of
the danger of this setup.

------
sbierwagen
Or you could make high-security posting optional, for users who get a lot of
traffic; much like how E-trade will give you a two-factor authentication fob
if you've got enough money invested with them.

------
nkassis
they could allow for configurable security, like allowing users to specify a
gpg public key. Doesn't have to be the default.

------
drivebyacct
There's an even easier solution... require confirmation via email. You send
the post as an email, you get an email back immediately asking for post
confirmation.

edit:

It looks like this is already standard functionality (if turned on, and even
if not there is still an email sent with a delete link).

I don't think dustin does a good job explaining why "It is OK" in this blog
post, but I think I agree with his conclusion, this doesn't seem like a big
deal if a user has opted for the more optimistic workflow rather than the more
precautionary one.

------
ajkirwin
I see this argument all the time. "Oh, Joe Schmo won't know how to do this!
It'll frighten them!".

And this happens absolutely everywhere. And it's true. But this problem won't
go away until we start FORCING people to adapt, by adopting stricter measures
everywhere.

