| | 4 | |
| | 5 | === 2007-08-21 -- security flaw === |
| | 6 | |
| | 7 | Nathan Wilcox has discovered that the new web API in allmydata-tahoe |
| | 8 | version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site |
| | 9 | Reference Forgery" attack -- is one in which an attacker creates an |
| | 10 | innocuous-looking hyperlink, and if a user clicks on that hyperlink |
| | 11 | then it causes deletion or theft of the user's data. We are working |
| | 12 | on a fix for this problem, and in the meantime if you have stored any |
| | 13 | private or precious data on a tahoe grid, then you can make sure that |
| | 14 | you are not exposed to this threat by shutting down your tahoe node |
| | 15 | before browsing the web. |
| | 16 | |
| | 17 | You can read more about the attack and our fix in the mailing list archves: |
| | 18 | |
| | 19 | http://allmydata.org/pipermail/tahoe-dev/ |
| | 20 | |
| | 21 | and in this bug tracker ticket: |
| | 22 | |
| | 23 | http://allmydata.org/trac/tahoe/ticket/98 |
