Known (to me) FA vulnerabilities
Lots of people have told me-with some disdain-that I should be reporting vulnerabilities. These people have sort of missed the point, insofar as I had one:
(a) FA does not consider security issues to be a high priority. Old, well-known exploits still exist, and are never fixed. New ones are still being created, and there's nothing in place to try to catch them. Most of the big FA crises in the past were easy to see coming.
(b) FA has a lot of security issues. And continues to expose its userbase to them. The users should probably be mad about that.
But hey, okay. Here's everything I know about, ranked by how easy it is to exploit. ☆☆☆ means it's technically possible, but scarcely worth the effort unless someone is super angry. ★★★ means I could be doing it to you as you read this paragraph. (No, I'm not.) Severity is up to you.
This information alone is not enough to inflict damage.
Let's get CSRF out of the way, because it's almost cheating. And yes, this is including the fixes from this weekend:
★★☆ An attacker can trick a user into watching any other user.
★★☆ An attacker can trick a user into unwatching any other user.
★★☆ An attacker can trick a user into faving any submission.
★★★ An attacker can trick a user into unfaving any submission.
★★☆ An attacker can trick a user into posting any submission.
★★☆ An attacker can trick a user into posting any journal.
★★★ An attacker can trick a user into creating any number of dummy submissions.
★★☆ An attacker can trick a user into replacing the content of any of that user's submissions.
★★☆ An attacker can trick a user into changing the description of any of that user's submissions.
★★☆ An attacker can trick a user into changing any of that user's journals.
★★★ An attacker can trick a user into deleting any submission the user owns.
★★★ An attacker can trick a user into deleting any journal the user owns.
★☆☆ An attacker can trick a user into deleting any combination of shouts on that user's page.
★★☆ An attacker can trick a user into making any comment on any journal or submission.
★★★ An attacker can trick a user into making a dummy comment on any journal or submission.
★★☆ An attacker can trick a user into posting any shout on any other user's userpage.
★★☆ An attacker can trick a user into hiding any comment the user is allowed to hide.
★★★ An attacker can trick a user into logging out.
★★☆ An attacker can trick a user into changing that user's profile text and metadata.
★★☆ An attacker can trick a user into changing that user's avatar.
★☆☆ An attacker can trick a user into replacing that user's existing avatars.
★☆☆ An attacker can trick an admin into exercising any administrative powers.
There's also a meta-exploit which would allow creating a socially-replicating worm, fairly untraceable, not requiring persistent hosting outside FA, and capable of doing any of the above.
Others:
☆☆☆ An attacker can steal user passwords over open wifi (such as that at furry conventions).
★★☆ An attacker can steal user sessions over open wifi (such as that at furry conventions).
★★☆ An attacker can log out every logged-in user and prevent anyone else from logging in, including administrators.
★★★ Banned users can hide comments they would otherwise be able to hide.
★★★ Banned users can post comments on journals.
★★★ Blocked users can reply to comments on the blocker's submissions and journals.
Meta: read-only and admin mode are kind of worthless. They didn't stop the escalation exploit on Friday, and they didn't stop the PHP execution vulnerability I witnessed first-hand many years ago.
There are several parts of the site I've just never used, so I don't claim that this is exhaustive. (I've never used trouble tickets, for example, and that would be a great place for an exploit; direct guaranteed audience with an admin.)
If I missed anything, please let me know. If you think any of the above make it obvious what the exploits are to someone who wouldn't already know, definitely let me know and I'll try to be more vague.
I will happily explain, to any FA admin who asks, how any of these work and how to prevent them. But it is not my responsibility to chase people down and try to make them care.
There are very many combinations of attacks that would let a single person destroy the entire site.
Also I hear something about a $50 bug bounty.
(a) FA does not consider security issues to be a high priority. Old, well-known exploits still exist, and are never fixed. New ones are still being created, and there's nothing in place to try to catch them. Most of the big FA crises in the past were easy to see coming.
(b) FA has a lot of security issues. And continues to expose its userbase to them. The users should probably be mad about that.
But hey, okay. Here's everything I know about, ranked by how easy it is to exploit. ☆☆☆ means it's technically possible, but scarcely worth the effort unless someone is super angry. ★★★ means I could be doing it to you as you read this paragraph. (No, I'm not.) Severity is up to you.
This information alone is not enough to inflict damage.
Let's get CSRF out of the way, because it's almost cheating. And yes, this is including the fixes from this weekend:
★★☆ An attacker can trick a user into watching any other user.
★★☆ An attacker can trick a user into unwatching any other user.
★★☆ An attacker can trick a user into faving any submission.
★★★ An attacker can trick a user into unfaving any submission.
★★☆ An attacker can trick a user into posting any submission.
★★☆ An attacker can trick a user into posting any journal.
★★★ An attacker can trick a user into creating any number of dummy submissions.
★★☆ An attacker can trick a user into replacing the content of any of that user's submissions.
★★☆ An attacker can trick a user into changing the description of any of that user's submissions.
★★☆ An attacker can trick a user into changing any of that user's journals.
★★★ An attacker can trick a user into deleting any submission the user owns.
★★★ An attacker can trick a user into deleting any journal the user owns.
★☆☆ An attacker can trick a user into deleting any combination of shouts on that user's page.
★★☆ An attacker can trick a user into making any comment on any journal or submission.
★★★ An attacker can trick a user into making a dummy comment on any journal or submission.
★★☆ An attacker can trick a user into posting any shout on any other user's userpage.
★★☆ An attacker can trick a user into hiding any comment the user is allowed to hide.
★★★ An attacker can trick a user into logging out.
★★☆ An attacker can trick a user into changing that user's profile text and metadata.
★★☆ An attacker can trick a user into changing that user's avatar.
★☆☆ An attacker can trick a user into replacing that user's existing avatars.
★☆☆ An attacker can trick an admin into exercising any administrative powers.
There's also a meta-exploit which would allow creating a socially-replicating worm, fairly untraceable, not requiring persistent hosting outside FA, and capable of doing any of the above.
Others:
☆☆☆ An attacker can steal user passwords over open wifi (such as that at furry conventions).
★★☆ An attacker can steal user sessions over open wifi (such as that at furry conventions).
★★☆ An attacker can log out every logged-in user and prevent anyone else from logging in, including administrators.
★★★ Banned users can hide comments they would otherwise be able to hide.
★★★ Banned users can post comments on journals.
★★★ Blocked users can reply to comments on the blocker's submissions and journals.
Meta: read-only and admin mode are kind of worthless. They didn't stop the escalation exploit on Friday, and they didn't stop the PHP execution vulnerability I witnessed first-hand many years ago.
There are several parts of the site I've just never used, so I don't claim that this is exhaustive. (I've never used trouble tickets, for example, and that would be a great place for an exploit; direct guaranteed audience with an admin.)
If I missed anything, please let me know. If you think any of the above make it obvious what the exploits are to someone who wouldn't already know, definitely let me know and I'll try to be more vague.
I will happily explain, to any FA admin who asks, how any of these work and how to prevent them. But it is not my responsibility to chase people down and try to make them care.
There are very many combinations of attacks that would let a single person destroy the entire site.
Also I hear something about a $50 bug bounty.