Firsthand about 9c951267

Lamer is a user regularly attacking a rake, but still confident that the rake does not exist.
Some encyclopedia

It has been a day since I made an attempt to convince people that the network should be very carefully choose who to trust their data (sounds pathetic, right?)

About what was and what came out of it, further.

')
The site bestpersons was chosen, of course, not by chance, but it is just perfect as a visual aid on how not to make secure sites. You can read about the beginning of bullying him here: The service for storing passwords and distributing them to everyone .

Because of the vague comments of site owners, who did not bother to describe what happened to their site and did not even notify their users about what they need to do (change all passwords that matched the password to bestpersons, delete your account;)) even large online publications could not understand what had happened. Neither rian.ru , nor Roem.ru , nor Securitylab gave a real version of the events.

So, in order:
1. I find what is described in the first topic and try to use it.
2. Since I’m not really hiding, some users, whose password I received, noticed that their email settings had changed in the settings and reported this to the programmers of the site.
3. The site was disabled when I managed to get only about 400 passwords.
4. I wrote a post on Habr, because I believed that once the site owners learned about the vulnerabilities, they would close them.
5. Website included.
6. I saw that nobody ruled the vulnerabilities and wrote a comment about it.
7. The site was turned off, I was asked to say where exactly the errors on the site o_O
8. I said: in such and such fields you do not filter html, besides, you have not completely filtered GET requests and through them you can do anything. Thanked, they said they would fix it.
9. The site was turned on, they wrote encouraging news - nothing threatens users O_o. // The fact that I have 400 passwords that still fit the mailboxes and user accounts (checked for curiosity) to them, users do not need to know .
10. In the evening, before going to bed, I decided to go to the site once again - to look at vulnerabilities there. I found out that nothing had changed for the better - we corrected XSS in some (not all) fields, but through GET requests you can still do anything. In particular, delete posts by other users and post to their blogs on other sites.
11. Wrote a simple scriptwriter, posting to all blogs, passwords to which were left by users on bestpersons. Launched it.
12. In the middle of the server work, the bestpersons hung (they had some scripts hanging). They were restarted and the scriptic calmly continued working o_O
13. All over the Internet there were messages whose content you know. By now, most of them have already been deleted (for sure on all blogs whose owners still remember them).
14. The owners of bestpersons added another line to the news about the vulnerability: “On behalf of our users, strange messages were sent, that's okay”.

Guys, with such an attitude to user data, the RuNet will never look like the Western Internet :)

Here, many expressed the thesis of such content: “Everyone is mistaken. Learn from mistakes. Now the site is even more reliable. ”

Error - this is when an attacker can change the name of another user, steal a cookie or take a not too important action on the site on behalf of another user.

What happens on bestpersons is not a mistake. This is a complete misunderstanding of the basics of site security by the masters of the leading programmers of high-load and distributed systems (like nothing confused?)

So you can not :)

Hopefully, sites that relate to their users in the future will be publicly flooded and writing code “like bestpersons” will be embarrassing for web projects that claim to be serious.

Thanks for attention.

ps Not the fact that I first found how to get the passwords of users of that site. And since it could have been done imperceptibly for the user himself (and of course for the site administration), it is worth transferring to his acquaintances, who have an account on the bestpersons, that their passwords may no longer be theirs. And if no one has used them yet, this does not mean that it will not use it.