| | 6 | |
| | 7 | === 2007-08-21 -- security flaw === |
| | 8 | |
| | 9 | Nathan Wilcox has discovered that the new web API in allmydata-tahoe |
| | 10 | version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site |
| | 11 | Reference Forgery" attack -- is one in which an attacker creates an |
| | 12 | innocuous-looking hyperlink, and if a user clicks on that hyperlink |
| | 13 | then it causes deletion or theft of the user's data. We are working |
| | 14 | on a fix for this problem, and in the meantime if you have stored any |
| | 15 | private or precious data on a tahoe grid, then you can make sure that |
| | 16 | you are not exposed to this threat by shutting down your tahoe node |
| | 17 | before browsing the web. |
| | 18 | |
| | 19 | You can read more about the attack and our fix in the mailing list archves: |
| | 20 | |
| | 21 | http://allmydata.org/pipermail/tahoe-dev/ |
| | 22 | |
| | 23 | and in this bug tracker ticket: |
| | 24 | |
| | 25 | http://allmydata.org/trac/tahoe/ticket/98 |
