Version 19 (modified by zooko, at 2007-08-21T22:09:07Z) (diff)

add notice of XSRF flaw

News and Status

Latest News

2007-08-21 -- security flaw

Nathan Wilcox has discovered that the new web API in allmydata-tahoe version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site Reference Forgery" attack -- is one in which an attacker creates an innocuous-looking hyperlink, and if a user clicks on that hyperlink then it causes deletion or theft of the user's data. We are working on a fix for this problem, and in the meantime if you have stored any private or precious data on a tahoe grid, then you can make sure that you are not exposed to this threat by shutting down your tahoe node before browsing the web.

You can read more about the attack and our fix in the mailing list archves:

and in this bug tracker ticket:

2007-08-17 -- Allmydata Tahoe v0.5 released!

This version adds a RESTful API allowing you to program your Tahoe node in the language of your choice, as well as a command-line API in the Unix style, and some performance improvements.

Please see the Release Notes.

Old News

The OldNews page is an archive of these news items.

Others Source of News and Current Status

Insight into the Development Process

See the Dev page for detailed information about Tahoe development as it happens.

Attachments (1)

Download all attachments as: .zip