Hacker News new | past | comments | ask | show | jobs | submit login
How I "hacked" Dustin Curtis's Posterous.
298 points by robinduckett on June 18, 2010 | hide | past | favorite | 115 comments
I logged into my outlook, changed my email address to his email address, and sent the email to post@posterous.com.

Dustin mentioned in his article that he didn't require a password, and I wanted to see if he had used the confirmation skip.

Just wanted to apologise to Dustin about any inconvenience, but I do hope I opened his eyes to security a little!

EDIT: A little bit of backstory.

Dustin seems to think, that I did this because of a comment he made, on how the headers could be forged. I had not read this comment. Infact, I read his article, and using the knowledge that I picked up years ago, that you could change the outgoing email address in Outlook (Although, it was Outlook Express in them days) I changed my email to his email.

I saw his email on his website (hi@dustincurtis.com) and thought, "No, he wouldn't be sending his personal emails from that address, that's silly."

I checked the WHOIS on his domain, and saw another email address there. I changed my email, sent a quick "Apparently..." message, and then changed it back to my original email address. I checked his blog, and it didn't seem to work.

I then went to sign up for my own posterous, to play a bit more, and I saw that you had to authorise your posts. Then I saw how this could be disabled for convenience. A few minutes later and the post showed up.

I am a Web Developer, I have experience with bash scripting, curl, sendmail and everything else you would need to fake headers.

I did not fake headers, I changed one field in Outlook. I didn't do this maliciously, and I just did it to prove a point.

Posterous should not be using email alone to authorise posts, and they should not let you disable submission checking.




Hey guys. I'm the cofounder of Posterous.

Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.

We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.

For the vast majority of users who use gmail, hotmail or other services, this was never an issue.

Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.

Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.

Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!


Yey I'm not getting prosecuted. Good times.


A couple of years ago, I emailed Garry Tan about this very issue after successfully posting to a friend's Posterous. They were only thankful for the heads up and investigated.

A year or two later, I was interviewing at a company whose product has a similar feature (post todos more or less), and decided to see if I could post to my friends todo list. I was thinking that if I could, I'd post to the guy who was interviewing me's list "Hire Andrew--he exposed a hole." It didn't work on my friends account, and I got an email a couple of minutes later. "I see you were doing some fuzzing, were you able to get any messages through?" I wasn't able to (though I didn't try too hard), and I didn't get the job either. (I ended up with a better job, so it all worked out).


Well, apparently all you need to break Posterous' security is an SMTP server from 1and1.co.uk


Um, not anymore actually. And also it only worked because Dustin had no SPF records -- again vast majority of users were unaffected.


Do you share your anti forgery strategy? That sounds like it would make a very useful open source library.

That would probably improve your security too.


A quick response from Posterous. I'd expect nothing less.

Posterous:email spoof detection PayPal:credit card fraud detection

See the section in Founders at Work on the value that better fraud detection created for PayPal.


Note that it is perfectly possible to safely use email as authentication. It is not trivial. I've replied about this here: http://news.ycombinator.com/item?id=1441914


Odd, the other Posterous threads are getting buried so quickly. When a new comment is posted in any thread it appears at the top, except for these Posterous threads. Is this damage control on the part of YC?

The only other person so far to comment under the co-founder on this thread (at time of writing) is jseeba, who has had very little activity and one of the few comments he's ever made was in a thread called "Ask YC: Your favorite startups" where he said "Posterous. It just works." So jseeba doesn't do much around here in the 2 or so years he's been a member but made time to chime in for Posterous again.


This happened to me too when I submitted a link about Posterous. Not long after it made it to the front page, the subject was changed to an inaccurate and less attention-getting subject. Moderator power...


For the record, jseeba emailed me and let me know that he's just a lurker and not part of this.


I agree with the conclusion. Posterous could fix this problem by implementing something like The Zucchini Method (http://www.jgc.org/antispam/03152005-2150120647b00f4af9d3443... [PDF]). Basically, they could accept posts via email as long as the user included some hard to guess word (or other token) in the subject line.


or do what flickr does and give you a unique email address to send to that only you will know. you can add it to your address book so you won't have to remember it, and it's probably stronger than what most users would choose for a password.


Such considerations might be overkill for flickr/posterous but that does leave your "secret" email address in the logs of every smtp relay along the way. Its sort of equivalent to putting a password in a URL.


"smtp relay along the way"?

This isn't UUCP, the message will go from A to B across the internet backbone. There will only be SMTP relays along the way if either your email host or the receiver's email host has chosen to set things up that way. We'd have a much bigger problem with internet security if everyone's email was relayed through questionable servers as a matter of course.


Most residential DSL and cable users are prohibited from connecting to port 25, except on a special "smarthost". This machine, and anyone reading its logs, will learn your blog password.

More secure than no password, but not secure.


Fortunately most of the people who operate mail relays for ISPs are honest and responsible.


[citation needed]

More to the point, what you are saying is that your ISP can read your unencrypted internet traffic. This is not news.


if you're relaying mail through smtp servers you don't trust, i think you have bigger problems to worry about than someone posting a funny message to your weblog.


Yeah, we're not talking about credit card info. Why not have post@ plus a secret@ available in your options. The more technically inclined could easily use the second, most likely safe enough, system.

I really hope they don't complicate an otherwise zen-like experience.


Security shouldn't be optional.

And this wouldn't fix the issue at all... I bet that 80%+ of users would leave the default post@ submission address.


Security shouldn't be optional.

That seems like a very dogmatic attitude. Security almost always comes at some cost (e.g., inconvenience), and sometimes that cost is not worth the benefit.


Yes, I agree with you. It pretty much always comes at some cost and "user-friendliness" hurts most of the times. But it is exactly that "easy-to-use" design that leads to security holes like the one presented here.

And I stand by what I wrote earlier, if you want to add some security options then they should be enabled by default. Having even the best security system in-place is useless when it's disabled. Isn't it?


The cost -- if someone successfully manages to spoof their way into your posterous blog -- isn't very high. You'll probably notice fairly quickly, it's hard for "the bad guy" to use for actual gain, and there's no money involved either way.

I use a service called Postful to send snail mail via email, that has security along these lines -- I email them a PDF with a mailing address in the subject line, and they post a letter and charge me a buck. They give security options (in my case, I include a "secret" word in the subject line, and there's a confirmation link that's emailed to me), but if I wanted, I could even let anyway send email to a given postful.com address, and it would mail a letter on my dime with no confirmation.

I haven't heard about any abuses.


Exactly. This is what we do on CallTheWeb. Not only is it much safer, but it allows our users to contribute messages to multiple accounts (say, their personal account, as well as a company account). If you tie things to a single email address, you limit your power users.


Perhaps a compromise would be to give the user the option to send emails to a hard-to-guess email address and then, if the user comes across the situation where he needs to delete a spoofed post, make a note near the deletion link that the option is available

This way, grandpa talking about his dog doesn't need to bother learning about security he doesn't really care about and the power user can post securely if it so happens that someone decides to spam his blog


I think the key here is that grandpa talking about his dog will find in short order that his Posterous blog is full of Viagra ads. Just because the SEO spammers haven't started using Posterous yet doesn't mean they won't pile on in droves once they realize it's possible.


They should just use SPF. This is what SPF is designed for, and it allows them to keep the user experience simple and straightforward. No weird passphrase to enter into the email, no weird random email address to email to, etc.


We do use SPF. It was related to the bug that caused this. It's been fixed now.


Yeah, no passphrase, just a hard to explain set of weird looking DNS entries to confuse the heck out of non-technical people with. The point of having no passworwd is to make it simpler. You might as well go back to using a password instead of using SPF.


SPF only identifies the sending domain, not the sender himself.

If your address is gmail and my address is gmail, our mx domain has the same spf record and same IPs. Sure, some mail servers will prevent you from authenticating with one ID and sending as another, but many others will let that slide.


Yes, but that's a fault of the mailserver on that domain. It shouldn't allow spoofed email to be sent from its own domain.


Sounds like a good partial solution to me. If SPF traces it back to a mail server that doesn't allow spoofed email, it could skip the confirmation step. GMail lets people change the from field, but only to an email address they can show they have access to, by clicking a confirmation link.


Which others? Give some examples.

Gmail won't. Hotmail won't. Yahoo won't. In fact I can't think of a single authenticating mail service that doesn't also validate authorization (e.g. you can only send as you).

Now maybe you're going to point out micro-mail servers, but that's kind of beside the point because very few other people share it with you. e.g. you used gmail as your example, but services like gmail aren't vulnerable to that.


Other people replied about a randomized/hard to guess email address. Building on your idea of a "hard to guess word" or token in the subject, posterous could allow a user to upload their public key, and require that their posts be gpg/pgp signed with their key (obviously this would be something that users would have to opt into). The displayed post could simply strip out the signature as it would only be needed for authentication.


Only with that kind of thing, or even the Zucchini method mentioned above, they would kind of lose their tag line about the easiest way to update a blog (or whatever it is).


The subject line is the title of the the post at Posterous... though I suppose the could strip it out... i.e. "subj: Blog Post Title Goes here #sekretpassword".

Certainly not ideal. Typos would confuse matters and the idea of secret word authentication is not exactly common/obvious for the masses.


That would also require sending #sekretpasword in plaintext, also not ideal.


If Dustin were a major corporation or a politician, you'd be talking to the FBI and facing prosecution right now.

Nice hack, BTW.


Hardly a hack!


it's a hack in the Bruce Schneier "easiest way to steal pancakes has nothing to do with where money changes hands" sense...

Our goal is to eat, without paying, at the local restaurant. And we've got a lot of options. We can eat and run. We can pay with a fake credit card, a fake check, or counterfiet cash. We can persuade another patron to leave the restraunt without eating and eat his food. We can impersonate (or actually become) a cook, a waiter, a manage, or the restraunt owner (who might actually be someone that few workers have ever met). We could snatch a plate off someone's table before he eats it, or from under the heat lamps before the waiter could get to it. We can wait at the dumpster for the busboy to throw away the leftovers. We can pull the fire alarm and sneak in after everyone evacuates. We can even try to persuade the manager that we're some kind of celebrity who deserves a free breakfast, or maybe we can find a gullible patron and tal her into paying for our food. We could mug someone, nowhere near the restraunt, and buy the pancakes. We could forge a coupon for free pancakes. And there's always the time-honored tradition of pulling a gun and shouting, "Give me all your pancakes".


You've made this celiac crave pancakes again. Bad.


You can't tolerate glutin and you've never tried buckwheat pancakes? I find them superior to normal wheat pancakes in every way.


Don't judge me.


Sorry, my tone might have been off. What I meant was: Buckwheat pancakes don't have glutin and are amazing. If you don't know about them, give 'em a try!


You can make decent pancakes with oat flour. Try http://www.recipefiles.org/view_recipe.php?id=548 out.


There doesn't have to be Knuth level computering for it to be a fun or easy, or simple, or elegant hack. And sadly the comment about the FBI is completely true. Any script kiddies reading this better keep that in mind.


True, but opening an unlocked door is hardly breaking into a house, yet you'd still get in trouble for it.


Locked or not it's still trespass, which is illegal, in most places.


Not in some parts of Canada. Trespass is only once you've told someone to leave (or have a sign saying "no trespassing). Otherwise you are free to walk on anyone's property (this is Canada wide) and sometimes enter their house (this is specific to certain areas). If a door is locked then obviously you arn't allowed in, but in the North you are granted "implicit" permission to go into someone's house if you would be in pain or otherwise discomforted. In an emergency (threat of death, lifelong pain, bear/wolf/moose attack (seriously) you are allowed to break into a house and stay there until you can leave. You are supposed to get in touch with the owner as soon as you can find him, though, and replace food, windows, other damage. If you don't it is considered break and entering.


That's a very sane law. Have you heard of any problems with it in practice?


Never. I've only heard of someone I know (a family member) using it once though. She left more than enough money and a note in the fridge and was very grateful she didn't have to continue driving in whiteout conditions.


In particular: http://en.wikipedia.org/wiki/Trespass_to_chattels though you'd have to show some actual damage resulting from it, which in this case would be just about nil.


Right, that's what I was going for.


what? according to your conclusion no politician or major corporation should need locks on their cars or front doors.


Highly unlikely.

Fraud, maybe, but only at a long stretch.

It certainly would never reach prosecution.


What would the crime be?


Well, he's knowingly misrepresenting himself. He's sending email as Dustin, with the specific intent of gaining unauthorized access to a system. (and he knows he's not authorized to post on Dustin's posterous)


That much is obvious, but what would cause the FBI to get involved and what would he be charged with?


Examples: The hackers that sent sequential iPad device numbers to AT&T servers and got email addresses back. The hacker that guesses Sarah Palin's password.


jcromartie's premise was, "If Dustin were a major corporation or a politician..."

IANAL, and it's not exactly the same circumstances, but when Sarah Palin's e-mail was hacked during the 2008 U.S. presidential campaign, the FBI and Secret Service both "got involved". According to Wikipedia the hacker in question was eventually found guilty of (1) felony obstruction of justice by destruction of records and (2) misdemeanor unauthorized access to a computer.

http://en.wikipedia.org/wiki/Sarah_Palin_email_hack


Basically what I am wondering is if he were to make a post to Pepsi's blog on Posterous, what would the federal crime be?

The parent has a lot of upvotes, so I really want to know why they agree he committed a crime, rather than found a bug.


Upvotes aren't for agreeing.


Whether they found it insightful or interesting, they probably deemed the statement true. No need to split hairs.


Interstate something-or-other.


This is a clear example of "good enough." Low security for low value targets -- if you need more you can get it. Setting a password, remembering a special email address, not posting via blackberry/mobile, all of these add friction.

EDIT: Although it is fun to think of solutions ... Posterous could mail you back a link; when you hit the link the post goes live. Then you would clearly need control of the sending address to post. And the link could just go to the new article, which you'll likely want to look at anyway.


I second. I have some flowers outside my house and they never got stolen. I think a lot of hackers overrate security just like a lot of nurses see diseases everywhere.


Measuring the danger of being impersonated is very difficult. It depends on how creative the attacker is and the social circumstances of the victim. Further, the victim can easily be unaware of the danger until they get bitten once.

This is going to be a serious issue for Posterous if they ever go mainstream. Opt-in authentication schemes won't be enough to prevent scores of naive people from being humiliated the first time, particularly teenagers.


> and they should not let you disable submission checking

I realize the security implications of all of the latest Posterous musings. But the fact is if Posterous didn't allow you to disable this I'd stop using their service. Posterous knows this.

My use case for Posterous is my phone. It has a nice 8 megapixel camera, and with literally two clicks I can have a picture sent to my Posterous blog. Is it secure? Not at all. Is it extremely convenient and productive? Absolutely.


Maybe they could add a link in the confirmation email for 'never ask for confirmation to post from this location', which would whitelist that mailserver for posting without confirmation.


Heh. Back when alternate email protocols were still common, it was my job to help support the "smtp gateway" product for a large corporation. I got to the point where I could forge emails by typing in SMTP by hand.

This worked very well the day I played a prank on my boss - the boss had sent out an email forged to appear it came from a co-worker that was supposed to be funny but hurt the co-worker's feelings badly. Co-worker wanted revenge, so I created a "letter of resignation" that appeared to come from the boss and that appeared to have been sent to every member of our company - but was really only sent to the boss himself.

Co-worker later told me he saw the boss running from office to office trying to do "damage control" before he realized no one else had actually gotten the email.


I feel like I'm missing something... Yesterday we were talking about the protections on Posterous and I posted an invitation to try to post to a Posterous I had set up (http://news.ycombinator.com/item?id=1439376). I got a bunch of emails from Posterous as a result of people trying to fake post to the account that I'd set up.

What's different between the way they did it and the way you did it? I'm assuming they also simply changed their email address in their mail client to try to send to my account.


> What's different between the way they did it and the way you did it?

he was successful.

seriously, though, the difference probably is that you put more time and effort into creating a posterous that was more secure. something as simple as "create it using a difficult email address" should cover most bases. something that most people likely don't do.


I put zero time into it. I created a brand new Posterous account, left everything as the default and posted the email address tied to the account here.


I believe the default requires authorizing your posts. That may be the issue.


hm. well, if i had to venture a guess, i would say that it was because you used gmail exclusively, while mr curtis does not. probably easier to slide by if you're a poster who emails through various different clients over time.


Why we quit posterous:

We were using posterous fairly often a while back, until my friend got into an argument with the posterous founder. He (my friend) had a few beers and then wrote a stupid message, basically saying that the posterous idea in general was bad (using different words :> ).

Then posterous founder replied saying he was banning my friend. We never found out if he actually followed through- because all of us (~15 guys) stopped using it completely the next day.

We, as users, have many options when choosing where to host our data, and we want services that are useful, secure, ethical, and beautiful.

http://charisma.posterous.com/

This one is not ready for us.


Does Posterous filter SEO spam? Otherwise this loophole seems like a perfect opportunity for SEO spam to start filtering in on lapsed accounts that still have some PageRank...


We do kill it and we're building a comprehensive spam killing system too. SEO spam is not welcome on Posterous in the least.


How does Posterous authenticate a message in the absence of DKIM or SPF records in DNS? The domain dustincurtis.com does not have an SPF record and DKIM is not supported by the mail host for dustincurtis.com(Google Apps for your Domain).

I assumed that Posterous did something clever using the IP address of the SMTP peer or the headers in the message. Does Posterous fallback to just checking the sender email address?


> Does Posterous fallback to just checking the sender email address?

Apparently so, I didn't even change my name.


Do you use Google Apps For Your Domain? If so, that might have foiled any IP address checking because dustincurtis.com is also hosted there.

EDIT: You must not be using Google Apps for Your Domain because Google does not allow sender forging.


Thanks for the bug report. This bug is now fixed.


All of you proposing obscure emails and other solutions, one of the reasons posterous' founders claim for their success is that they explicitly did NOT do any of those things. In fact, they're pretty clear that if they had done any of those things, posterous would have failed.


Hey, you left your door unlocked so I painted this sign on it to let everyone know.


That's what happens when you don't even have a door lock to begin with, then go tell the whole world about it. (Dustin told the whole world about not having a password. Not this guy.)


Agreed. Dustin should probably do a little more work to secure it, however posting fail... Total jerk move.


I was thinking about implementing a posterous-like email system for calendaring, and was wondering how they authenticated the emails. I recall them getting "hacked" around launch and there being some TC article about how they responded swiftly by adding new security measures.

Just registering the "usual" smtp sender / relay and prompting the user before posting something from a different spot could help. I don't know enough about MX records yet, but matching up the domain and sending IP could be another good measure. How else can this be improved?


E-mail provides no security. An e-mail can be forged simply by using telnet to connect to and SMP server (usually your ISPs) and typing the appropriate message (see wikipedia SMTP. The easiest fix for this is PGP as mentionned in previous posts. This is, however, a horrible solution since it will alienate many users (think your mother). The simplest solution that will do a good enough job is to send back an e-mail to the user with a 'preview' of his post for him to OK it since receiving e-mails is more secure.


Which provides a great way to spam people. The preview idea sucks.

SPF solves almost all of the issue. Unique mailing addresses should be available for users who want it (yeah most people can handle an address book). The absence of those is just grossly incompetent.


It seems like a fault that wouldn't hurt the entire system, but it may cause a dilemma similar to Facebooks design flaw, where disowned groups could be taken under control - http://mashable.com/2009/11/10/facebook-groups-hacked/. As with every such flaw, it's likely to start attracking spammers, and should be dealt with in some way (Facebook seems to have disabled reclaiming ownership of groups without admins?)


post+uniqueapikey@posterous.com

Would half fix this problem.


or even post+memorableuniqueword@posterous.com


You could have told him instead of being a jerk - I know from experience that this doesn't work, say in the work place, where proving your point like this is vital if you want to be heard - but for regular people this is basically an attack. Worst of all you told everyone else how to do it...

Warning him would have been nice, this IS, by definition almost, malicious - regardless of how you chose to interpret the word yourself.


Sending email apparently from a particular address, as described, is so simple I can't believe two things: 1, that Posterous was set up to let that happen and 2, that in 2010, the email system is still so dumb that I can send mail with any sender address that to the majority of people would be indistinguishable from mail genuinely from the sending address.


Nice hack. You're going to spawn a whole new generation of hackers that uses Outlook to wreak havoc. ;)


Its cute, but its not a hack.


Yeah I forgot my sarcasm airquotes.


Why on Earth would anyone use the confirmation skip? That's basically security through obscurity. Even less so if the email address you use is known by people.


Convenience is often on the opposite end of the Security slider. Many people go whole hog on it.

Same with privacy, see Facebook.


Interesting point, because it suggests that an email address that was kept private and dedicated to Posterous posting could have prevented this attack. So, is this weak security on the part of Posterous, or excellent social engineering on the part of robinduckett? At the least, It's like he simply asked the target for a password; at the most, it's like he found the spare door key in the fake 7-Up can in the garden shed.

Note: Creating a "private" email address is beyond the capabilities of 75% of the people I know, who believe that email addresses are exclusively created and assigned by ISPs or employers. I doubt that Posterous will do anything to alienate this group, who appear to be an important target audience.


Actually it was a bug, and its now fixed.


Does Postereous not support SPF?

SPF tells you that the email really came from my server. That the email really came from my server tells you that it's really me, as sending through my server requires a password.

Sadly SPF is grossly underused.


Sure, they could check SPF, but what if your mail server doesn't support it? Reject the message?


If SPF isn't configured on the domain then it should simply go without that safeguard (maybe forcing confirmations?). SPF is, however, a pretty good indicator that the email is legitimate.


Yeah, as soon as I saw this post I thought of SPF and DomainKeys.

Seems simple:

If your mail/DNS is setup to support either of these, then cool you don't need to confirm.

Else, you must "ok" each post.

DONE


SPF doesn't verify the sender, it only tells you if the server is allowed to send mail from a domain. You can still use the password for your account to forge the sending address of another user in the domain. Besides, the fact that your domain requires a password is only meaningful to you; it has no value to the outside world in terms of identity assurance.


>You can still use the password for your account to forge the sending address of another user in the domain.

Very few mail servers allow you to that. Once you add sender authentication, it generally comes with sender authorization.

>Besides, the fact that your domain requires a password is only meaningful to you

Almost all SMTP servers are locked down now, most requiring authentication. Those that aren't get blacklisted pretty quickly.

SPF tells you that the sender is authorized to send on behalf of that person.

It solves 99.9% of the issue.


Since part of the allure was the need for "no passwords" in order to be simple, I doubt explaining SPF to novices is going to be a step forward.


As an aside, instead of post@, posterous should use a guid for each blog. e.g.

B566EA61026F474BA8ADB877FF765087@postereous.com

If you're on another device just email whoami@postereous.com and it responds with with your GUID post address. Of course email is hardly confidential, and it would be sent in the clear, but it's a heck of a lot more powerful than simply looking at a from address.


[deleted]


No, since the reply goes back to the real address.


How embarrassing for you. How exactly would the email go to the forger if they are spoofing YOUR email address. Coffee in the morning, gin at night. Never switch the two.


People can't always be right, eh?

I was mistaken. You're right, I haven't had my coffee yet.


I like that better than "What are you smoking?" Still overly rude, though.


Poll: hack Dustin Curtis's things every day? Yay? Nay?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: