Published with mk's permission.

As mk eluded to in his Pubski post:

there was something about 'prev'. I'd like to explain what it was, tell you about what I learned from it and share some conclusions.

How did the 'prev' thing work?

It's simple, really. You go to any post, you get a link that https://hubski.com/pub/POST_ID. Now, I changed the /pub/ to /prev/. Lo and behold, it took away any restrictions to post access. It could have been a draft, private message or a deleted post or comment, didn't matter.

- How was it found?

Boredom. I looked through the Hubski's robots.txt file and found something I couldn't recall messing with.

- Why was it working?

I'm speculating, but I think that because it was intended as a preview of one's own posts, there were no (additional) security measures in place to guard against obtaining the illicit access. By design, it made sense. The only way anyone could utilise /prev/ method was to do it manually. Unfortunately, it was a security risk.

What have I learned?

I want to stress it as much as possible: I have never read or saved any of the data while the bug was in place. The only posts I accessed were mine or pure accidents. Could anyone else do it? Potentially, yes.

What I did do, however, is that I took about 60k posts while those were accessible, PMs, drafts… you name it. I had no way of differentiating them. Then ran them through a bunch of regex checkers and tested them for the presence of the following:

- BTC/ETC addresses,

- Names that weren't on my lists of common surnames or Wikipedia,

- Various patterns of telephone numbers, PO boxes and email addresses,

- The last line of message's body containing a name (it was a yes/no).

And some other stuff along those lines. I want to stress that it can contain false-positives as I haven't seen the values that were found. I just got tally counts. It also goes without saying that quite a lot of it is likely to come from spam, as they have to put some kind of contact info.

Please, avoid sending sensitive information through Hubski. It wasn't made with strict security in mind, it's a third space where we can talk, chill, share, stimulate and try being excellent to each other. It's genuine, and that's a big part of both its appeal and charm. But it's a growing place and odds are that the next IT geek might not be half as nice as I am (or anyone else who helped with patching holes for that matter, I claim no full credit on anything).

I am by no means denigrating the work done by mk, rob05c, forwardslash and everyone else who worked on Hubski. It's an amazing project. But it wasn't made with security as the main priority, it's all about utility and I have no bad words or critique to say about that.


OftenBen:

We need more folks like you in the world Devac.

If there's ever anything I can do to help you further a goal, you have my (Axe, Sword, Keyboard, etc) at your disposal.


posted by Devac: 21 days ago