Hacker News new | past | comments | ask | show | jobs | submit login

Did he not mention the flaw, or did I miss it? If he didn't, I'd say this article is linkbait.

The bug is probably something really trivial that affects a small portion of users in an insignificant way. The secrecy about specifics on the author's part seems to be just to spare him embarrassment at this point.

I think the post itself is pretty clear on this score: it's not a major vulnerability. It doesn't prevent us from using the product. It does change the way we use the product.

I'm not sure Dave's too worried about what YC board people think about him, but if that makes you feel better, you can go ahead and keep thinking that.

Here's what I want to accomplish by posting this story on YC (and not Reddit, or anywhere else):

The 37Signals attitude towards feature requests is refreshing and powerful. But if you apply it mindlessly, like they themselves did in this case, you can cause problems for yourself. Not every request is really optional. Maybe this one was --- I'm on the fence leaning towards "they should probably fix this soon" --- but others truly won't be, because they will reveal customer information, lose data, or crash the system.

I think there's a lesson in here somewhere. Maybe it'll just have to wait for an actual incident at 37Signals.

I'm guessing it's this:


Suppose we're both basecamp users. It may be possible for me to steal your session by giving you a link to a shared calendar or something with malicious javascript. Or I can steal the login cookie of one of the admins by luring them to my website with a support request.

I don't think permitting XSS is a good idea in a shared environment.

Apparently they consider XSS a feature. That's a first!

Nope. That's not it.

You can steal cookies with XSS?

Yes. That's why XSS is such a serious security problem. And even if you can't steal cookies, you can still do nasty things like re-target the login form's action to point at your own server and hence steal people's passwords.

document.cookie, wow... Guess you learn something new every day. For those interested, this has a good explanation:


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact