Changes between Version 18 and Version 19 of News


Ignore:
Timestamp:
2007-08-21T22:09:07Z (17 years ago)
Author:
zooko
Comment:

add notice of XSRF flaw

Legend:

Unmodified
Added
Removed
Modified
  • News

    v18 v19  
    22
    33== Latest News ==
     4
     5=== 2007-08-21 -- security flaw ===
     6
     7Nathan Wilcox has discovered that the new web API in allmydata-tahoe
     8version 0.5 is vulnerable to XSRF attack.  An XSRF -- or "Cross-Site
     9Reference Forgery" attack -- is one in which an attacker creates an
     10innocuous-looking hyperlink, and if a user clicks on that hyperlink
     11then it causes deletion or theft of the user's data.  We are working
     12on a fix for this problem, and in the meantime if you have stored any
     13private or precious data on a tahoe grid, then you can make sure that
     14you are not exposed to this threat by shutting down your tahoe node
     15before browsing the web.
     16
     17You can read more about the attack and our fix in the mailing list archves:
     18
     19http://allmydata.org/pipermail/tahoe-dev/
     20
     21and in this bug tracker ticket:
     22
     23http://allmydata.org/trac/tahoe/ticket/98
    424
    525=== 2007-08-17 -- Allmydata Tahoe v0.5 released! ===