Published with mk's permission.
As mk eluded to in his Pubski post:
there was something about 'prev'. I'd like to explain what it was, tell you about what I learned from it and share some conclusions.
How did the 'prev' thing work?
It's simple, really. You go to any post, you get a link that https://hubski.com/pub/POST_ID. Now, I changed the /pub/ to /prev/. Lo and behold, it took away any restrictions to post access. It could have been a draft, private message or a deleted post or comment, didn't matter.
- How was it found?
Boredom. I looked through the Hubski's robots.txt file and found something I couldn't recall messing with.
- Why was it working?
I'm speculating, but I think that because it was intended as a preview of one's own posts, there were no (additional) security measures in place to guard against obtaining the illicit access. By design, it made sense. The only way anyone could utilise /prev/ method was to do it manually. Unfortunately, it was a security risk.
What have I learned?
I want to stress it as much as possible: I have never read or saved any of the data while the bug was in place. The only posts I accessed were mine or pure accidents. Could anyone else do it? Potentially, yes.
What I did do, however, is that I took about 60k posts while those were accessible, PMs, drafts… you name it. I had no way of differentiating them. Then ran them through a bunch of regex checkers and tested them for the presence of the following:
- BTC/ETC addresses,
- Names that weren't on my lists of common surnames or Wikipedia,
- Various patterns of telephone numbers, PO boxes and email addresses,
- The last line of message's body containing a name (it was a yes/no).
And some other stuff along those lines. I want to stress that it can contain false-positives as I haven't seen the values that were found. I just got tally counts. It also goes without saying that quite a lot of it is likely to come from spam, as they have to put some kind of contact info.
Please, avoid sending sensitive information through Hubski. It wasn't made with strict security in mind, it's a third space where we can talk, chill, share, stimulate and try being excellent to each other. It's genuine, and that's a big part of both its appeal and charm. But it's a growing place and odds are that the next IT geek might not be half as nice as I am (or anyone else who helped with patching holes for that matter, I claim no full credit on anything).
I am by no means denigrating the work done by mk, rob05c, forwardslash and everyone else who worked on Hubski. It's an amazing project. But it wasn't made with security as the main priority, it's all about utility and I have no bad words or critique to say about that.
- Please, avoid sending sensitive information through Hubski. It wasn't made with strict security in mind, it's a third space where we can talk, chill, share, stimulate and try being excellent to each other.
Yes. Our development motto is: Move slow and break things.
Good catch on this one. Just goes to show, as soon as you write something down, it's not secret.
In the past, I've approach sites (like reddit) with the idea of staying wholly anonymous, but I think that's actually backwards. When I moved over to hubski, I began with the assumption that everything I do and say here will be connected to my real name (and have even posted links to my medium page, which does use my real name). It's allowed me to much more conscious of what I put here, and means I'm relying on my own feelings about what I'm willing to share rather than a 3rd party (no matter how capable and well-intentioned mk et al. may be).
I'm just gonna keep filling hubski with my shitty poetry.
Its Tuesday me dudes
ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
mk, you once made a post allowing users to see their deleted comments. I'm unable to find it on Hubski's search. Would you mind sharing that again? It might be worthwhile for users to go through their comment history and replace any text they want to be rid of with a place holder text, like "X."
On a side note, I've noted (what appears to be) a recurrence of an earlier #bugski - since this thread's up, might as well mention it here - when checking my replies for this thread, I saw one from mk. However, the notification says "you are muted here." That being said, I'm not muted in the thread, by Devac, or by mk, so I'm not sure what's throwing this signal. I'd observed something similar a while ago to mk and we thought we'd fixed it at the time. May need to look into again.
Yes, we should add on mail somewhere that PMs shouldn't be considered as private as email. I did say something to that effect 2034 days ago:
- Importantly, only those users included in a message can read the mail and comments. However, Hubski mail is stored as plain-text on our server and privacy is permission-based only. For that reason, please don't post very sensitive or personal information in Hubski mail.
But, we could make it clear.
My observation of the issue is that it's two-fold: one; there is an issue which should be circulated (as it has been), but also two; new users aren't going to know that, and with the current set-up of Hubski, this post, and your 2034-day old post, simply aren't going to get seen by others going forward as they "bump down" in the feed.
My mind's on governance these days as I try to set up this project for work, which is why I think it's important to point out/remember that while it's great - absolutely great and important - that we create posts and share issues real-time with the current hubski community, in the way we do now -- we have to keep a mind for the people who are going to come along after us, whether that's in a day, a week, a month, or a year. So stuff like this should get added to one of the basic "about," "faq," "tmi," or etc pages - or the mail page - or whichever place suits the topic best - but we can't forget to do that housekeeping on the back end as well as this front-end alert of the current active community.
My concern's not just, or maybe even not mostly, about or regarding site-wide clarity - it's for the users who won't have ever seen this post because they weren't here when it happened.