How I "hacked" Dustin Curtis's Posterous.
I logged into my outlook, changed my email address to his email address, and sent the email to post@posterous.com.
Dustin mentioned in his article that he didn't require a password, and I wanted to see if he had used the confirmation skip.
Just wanted to apologise to Dustin about any inconvenience, but I do hope I opened his eyes to security a little!
EDIT: A little bit of backstory.
Dustin seems to think, that I did this because of a comment he made, on how the headers could be forged. I had not read this comment. Infact, I read his article, and using the knowledge that I picked up years ago, that you could change the outgoing email address in Outlook (Although, it was Outlook Express in them days) I changed my email to his email.
I saw his email on his website (hi@dustincurtis.com) and thought, "No, he wouldn't be sending his personal emails from that address, that's silly."
I checked the WHOIS on his domain, and saw another email address there. I changed my email, sent a quick "Apparently..." message, and then changed it back to my original email address. I checked his blog, and it didn't seem to work.
I then went to sign up for my own posterous, to play a bit more, and I saw that you had to authorise your posts. Then I saw how this could be disabled for convenience. A few minutes later and the post showed up.
I am a Web Developer, I have experience with bash scripting, curl, sendmail and everything else you would need to fake headers.
I did not fake headers, I changed one field in Outlook. I didn't do this maliciously, and I just did it to prove a point.
Posterous should not be using email alone to authorise posts, and they should not let you disable submission checking.
Hey guys. I'm the cofounder of Posterous.
Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
I agree with the conclusion. Posterous could fix this problem by implementing something like The Zucchini Method (http://www.jgc.org/antispam/03152005-2150120647b00f4af9d3443... [PDF]). Basically, they could accept posts via email as long as the user included some hard to guess word (or other token) in the subject line.
If Dustin were a major corporation or a politician, you'd be talking to the FBI and facing prosecution right now.
Nice hack, BTW.
This is a clear example of "good enough." Low security for low value targets -- if you need more you can get it. Setting a password, remembering a special email address, not posting via blackberry/mobile, all of these add friction.
EDIT: Although it is fun to think of solutions ... Posterous could mail you back a link; when you hit the link the post goes live. Then you would clearly need control of the sending address to post. And the link could just go to the new article, which you'll likely want to look at anyway.
> and they should not let you disable submission checking
I realize the security implications of all of the latest Posterous musings. But the fact is if Posterous didn't allow you to disable this I'd stop using their service. Posterous knows this.
My use case for Posterous is my phone. It has a nice 8 megapixel camera, and with literally two clicks I can have a picture sent to my Posterous blog. Is it secure? Not at all. Is it extremely convenient and productive? Absolutely.
Heh. Back when alternate email protocols were still common, it was my job to help support the "smtp gateway" product for a large corporation. I got to the point where I could forge emails by typing in SMTP by hand.
This worked very well the day I played a prank on my boss - the boss had sent out an email forged to appear it came from a co-worker that was supposed to be funny but hurt the co-worker's feelings badly. Co-worker wanted revenge, so I created a "letter of resignation" that appeared to come from the boss and that appeared to have been sent to every member of our company - but was really only sent to the boss himself.
Co-worker later told me he saw the boss running from office to office trying to do "damage control" before he realized no one else had actually gotten the email.
I feel like I'm missing something... Yesterday we were talking about the protections on Posterous and I posted an invitation to try to post to a Posterous I had set up (http://news.ycombinator.com/item?id=1439376). I got a bunch of emails from Posterous as a result of people trying to fake post to the account that I'd set up.
What's different between the way they did it and the way you did it? I'm assuming they also simply changed their email address in their mail client to try to send to my account.
Why we quit posterous:
We were using posterous fairly often a while back, until my friend got into an argument with the posterous founder. He (my friend) had a few beers and then wrote a stupid message, basically saying that the posterous idea in general was bad (using different words :> ).
Then posterous founder replied saying he was banning my friend. We never found out if he actually followed through- because all of us (~15 guys) stopped using it completely the next day.
We, as users, have many options when choosing where to host our data, and we want services that are useful, secure, ethical, and beautiful.
http://charisma.posterous.com/
This one is not ready for us.
Does Posterous filter SEO spam? Otherwise this loophole seems like a perfect opportunity for SEO spam to start filtering in on lapsed accounts that still have some PageRank...
How does Posterous authenticate a message in the absence of DKIM or SPF records in DNS? The domain dustincurtis.com does not have an SPF record and DKIM is not supported by the mail host for dustincurtis.com(Google Apps for your Domain).
I assumed that Posterous did something clever using the IP address of the SMTP peer or the headers in the message. Does Posterous fallback to just checking the sender email address?
All of you proposing obscure emails and other solutions, one of the reasons posterous' founders claim for their success is that they explicitly did NOT do any of those things. In fact, they're pretty clear that if they had done any of those things, posterous would have failed.
Hey, you left your door unlocked so I painted this sign on it to let everyone know.
I was thinking about implementing a posterous-like email system for calendaring, and was wondering how they authenticated the emails. I recall them getting "hacked" around launch and there being some TC article about how they responded swiftly by adding new security measures.
Just registering the "usual" smtp sender / relay and prompting the user before posting something from a different spot could help. I don't know enough about MX records yet, but matching up the domain and sending IP could be another good measure. How else can this be improved?
E-mail provides no security. An e-mail can be forged simply by using telnet to connect to and SMP server (usually your ISPs) and typing the appropriate message (see wikipedia SMTP. The easiest fix for this is PGP as mentionned in previous posts. This is, however, a horrible solution since it will alienate many users (think your mother). The simplest solution that will do a good enough job is to send back an e-mail to the user with a 'preview' of his post for him to OK it since receiving e-mails is more secure.
It seems like a fault that wouldn't hurt the entire system, but it may cause a dilemma similar to Facebooks design flaw, where disowned groups could be taken under control - http://mashable.com/2009/11/10/facebook-groups-hacked/. As with every such flaw, it's likely to start attracking spammers, and should be dealt with in some way (Facebook seems to have disabled reclaiming ownership of groups without admins?)
You could have told him instead of being a jerk - I know from experience that this doesn't work, say in the work place, where proving your point like this is vital if you want to be heard - but for regular people this is basically an attack. Worst of all you told everyone else how to do it...
Warning him would have been nice, this IS, by definition almost, malicious - regardless of how you chose to interpret the word yourself.
Sending email apparently from a particular address, as described, is so simple I can't believe two things: 1, that Posterous was set up to let that happen and 2, that in 2010, the email system is still so dumb that I can send mail with any sender address that to the majority of people would be indistinguishable from mail genuinely from the sending address.
undefined
Nice hack. You're going to spawn a whole new generation of hackers that uses Outlook to wreak havoc. ;)
undefined
Its cute, but its not a hack.
Why on Earth would anyone use the confirmation skip? That's basically security through obscurity. Even less so if the email address you use is known by people.
Does Postereous not support SPF?
SPF tells you that the email really came from my server. That the email really came from my server tells you that it's really me, as sending through my server requires a password.
Sadly SPF is grossly underused.
Poll: hack Dustin Curtis's things every day? Yay? Nay?