avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 11, 2018, 01:54 PM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Hacker News - How I "hacked" Dustin Curtis' Posterous (fixed)  (Read 1386 times)

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,987
    • View Profile
    • Donate to Member
I logged into my outlook, changed my email address to his email address, and sent the email to [email protected]

Dustin mentioned in his article that he didn't require a password, and I wanted to see if he had used the confirmation skip.

Just wanted to apologise to Dustin about any inconvenience, but I do hope I opened his eyes to security a little!

EDIT: A little bit of backstory.

Dustin seems to think, that I did this because of a comment he made, on how the headers could be forged. I had not read this comment. Infact, I read his article, and using the knowledge that I picked up years ago, that you could change the outgoing email address in Outlook (Although, it was Outlook Express in them days) I changed my email to his email.

I saw his email on his website ([email protected]) and thought, "No, he wouldn't be sending his personal emails from that address, that's silly."

I checked the WHOIS on his domain, and saw another email address there. I changed my email, sent a quick "Apparently..." message, and then changed it back to my original email address. I checked his blog, and it didn't seem to work.

I then went to sign up for my own posterous, to play a bit more, and I saw that you had to authorise your posts. Then I saw how this could be disabled for convenience. A few minutes later and the post showed up.

I am a Web Developer, I have experience with bash scripting, curl, sendmail and everything else you would need to fake headers.

I did not fake headers, I changed one field in Outlook. I didn't do this maliciously, and I just did it to prove a point.

Posterous should not be using email alone to authorise posts, and they should not let you disable submission checking.

Sorry, don't understand anything that's being said except that most webmail aren't affected by this.

This one is worrying though:

Odd, the other Posterous threads are getting buried so quickly. When a new comment is posted in any thread it appears at the top, except for these Posterous threads. Is this damage control on the part of YC?

The only other person so far to comment under the co-founder on this thread (at time of writing) is jseeba, who has had very little activity and one of the few comments he's ever made was in a thread called "Ask YC: Your favorite startups" where he said "Posterous. It just works." So jseeba doesn't do much around here in the 2 or so years he's been a member but made time to chime in for Posterous again.

Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.

We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.

For the vast majority of users who use gmail, hotmail or other services, this was never an issue.

Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.

Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.

Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!

from: Ycombinator