Damn. OK, I've posted it now as I've just realised, it's a common login for Flippa and Sitepoint.Originally Posted by hooperman
I don't have to go through my Sitepoint PMs as well now, do I? Arggh!!
Damn. OK, I've posted it now as I've just realised, it's a common login for Flippa and Sitepoint.
I don't have to go through my Sitepoint PMs as well now, do I? Arggh!!
I wonder if the hack was as simple as just changing the user id in the url? I tried it this morning and it didn't work but who knows.
I've seen other systems (million+ plus) that left this hole in their security, it wouldn't surprise me if Flippa did as well (especially based on their lack of quality control in general over code).
Video now released.
Flippa makes a blog post about the breach.
Pretty close to what I thought, except the url was in the forgot password link, not the overall url.
Interesting that Flippa don't acknowledge the risk associated with the ability for hackers to log in as any user they wish. In that blog post they've listed all the "low risk" admin functions that hackers had access to, but have ommitted the function that gives them the ability to log in as any Flippa user. No point worrying people with the truth. Most people won't care that hackers were able to credit their accounts, but they might care if they realised that their PMs and other private info were accessible.
I don't think most users care whether Flippa reads their PMs. We're talking about the average player being the type who gets excited about making $30 selling his template.
People who have more at stake, professionals accustomed to respect, people used to handling confidential information, business managers etc., aren't the average Flippa users. Those who occasionally sign up to sell a quality site aren't ever going to know that Flippa is ... a bit different
I suspect all of this will be largely ignored by the majority of users and Flippa have no reason to make a bigger deal of it. Where it may get messy is if it does actually come to light that someone has had their confidential information stolen/misused as a result of this hack. Unlikely seeing as the hacker is "ethical" but what's to say it hasn't already been done and not disclosed?I don't think most users care whether Flippa reads their PMs. We're talking about the average player being the type who gets excited about making $30 selling his template.
People who have more at stake, professionals accustomed to respect, people used to handling confidential information, business managers etc., aren't the average Flippa users. Those who occasionally sign up to sell a quality site aren't ever going to know that Flippa is ... a bit different
In my opinion, the list has the most value - I don't really know anything about hacking or the market for this kind of stuff, but I'd imagine it would be worth a fair chunk of change to the right buyer.
That would also involve making it clear that the Flippa admins can read everyone's PMs, which is probably not something that they would like to start a discussion about.
I think they did an OK job of handling this problem, since they patched the hole quickly, put out an explanation relatively quickly, and made some smart decisions not to store passwords in plaintext or store any credit card information with the accounts.
I see that you two are over at the Flippa blog stirring up trouble.
I went there to make the points that you did, but you already beat me to it. Dave's attempt to blow off the first comment isn't surprising, and I wonder what the reaction will be if the questions continue.
They won't.I wonder what the reaction will be if the questions continue.
a) Regular Flippa fanboys aren't bothered
b) Flippa has a delete button
Posting Permissions
Reply With Quote
Bookmarks