| 4 | |
| 5 | === 2007-08-21 -- security flaw === |
| 6 | |
| 7 | Nathan Wilcox has discovered that the new web API in allmydata-tahoe |
| 8 | version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site |
| 9 | Reference Forgery" attack -- is one in which an attacker creates an |
| 10 | innocuous-looking hyperlink, and if a user clicks on that hyperlink |
| 11 | then it causes deletion or theft of the user's data. We are working |
| 12 | on a fix for this problem, and in the meantime if you have stored any |
| 13 | private or precious data on a tahoe grid, then you can make sure that |
| 14 | you are not exposed to this threat by shutting down your tahoe node |
| 15 | before browsing the web. |
| 16 | |
| 17 | You can read more about the attack and our fix in the mailing list archves: |
| 18 | |
| 19 | http://allmydata.org/pipermail/tahoe-dev/ |
| 20 | |
| 21 | and in this bug tracker ticket: |
| 22 | |
| 23 | http://allmydata.org/trac/tahoe/ticket/98 |