There’s quite a big vulnerability with FriendFeed right now. Using the FriendFeed By Email function, apparently anyone can post a message as anyone else on FriendFeed. For example, someone posted this pretending to be FriendFeed co-founder Bret Taylor.
Obviously, this is a huge security problem. When it was spotted just about an hour ago, FriendFeed jumped on it quickly, and has shut down email posting while they look into the issue. (Good to know they can still hop on these problems with FriendFeed even though they are now technically Facebook employees.) Still, you have to wonder if this bug has existed for months, or however long this feature has existed?
We’ve reached out to FriendFeed to see if there have been any serious compromises because of this bug.
Shame they fixed it so quick, that could have been great fun
One feature at a time… it will all come off, till one day friendfeed.com redirects to (oh my God) facebook.com !
Exactly. This is a huge security problem. Being a huge social network this security threat would kill the whole functionality of the app. The feeds can never be trusted. But it is a wise decision by FriendFeed ; shutting down the feature immediately. It would help to avoid fake feeds through email. Hope the security threat would be killed and the feature will back soon.
A big vulnerability in Friendfeed! But anyone can post an email to another through This isn’t a vulnerability in FriendFeed as much as it is a fundamental weakness and emails with bugs are quite natural. We can send an email to anyone and make it look like its from anyone. This turns as an illegal issue. Lets us wait and see how long Friendfeed takes to limit its bugs
i still don’t get why anyone uses friendfeed, or how the company has money to pay employees. seriously. someone explain to me, please, and i’ll impersonate myself thanking you on friendster.
i wonder if someone spotted something in torando’s source
Well at least FriendFeed jumped right on to the problem unlike Twitter support needs 2-3 days until all accounts get hacked first.
I know even the password of Britney’s Speirs account (I knew actually, she,pr changed it
)
How does it work?
telnet friendfeed.com 25
250 OK
HELO impersonator.com
250 OK
MAIL FROM:
250 OK
RCPT TO:
250 OK
DATA
354 OK
omfg! there is a bug!
.
250 OK
telnet friendfeed.com 25
250 OK
HELO impersonator.com
250 OK
MAIL FROM: [spoofeduser@somedomain.com]
250 OK
RCPT TO: [wherever@friendfeed.com]
250 OK
DATA
354 OK
omfg! there is a bug!
.
250 OK
This isn’t a vulnerability in FriendFeed as much as it is a fundamental weakness of the SMTP protocol.
I can send an email to anyone and make it look like its from anyone. Isn’t that a bigger deal that this limited consequence of that?
This issue is very similar to spam. Spammers knew this trick DECADES ago. But! There is dumb solution for dumb spam:
VALIDATE SENDER. How? reverse DNS lookup to see if sender actually comes from one of IPs mentioned in MX-record of “From” domain.
If not validated site [friendfeed in this example] may send email message to sender to ask to click on the link to confirm authenticity of message
+100 @FacebookUser.
I have said for years (and long given up since no one seems to care), that it is ridiculous that one of the most fundamental functions on the internet, email / SMTP, has no form of sender authentication built into it.
It’s always been mind boggling:
Here is everyone complaining about SPAM, Congress even passes laws against it, Facebook et al. build semi-primitive alternative messaging into their social media services to work around the broken email issue, and Web standards gurus opine on the next generation of the semantic Web, Web 3.0, HTML5, etc. etc.
But they cannot do one simple thing and FIX the freaking broken/non-existent authentication protocol for email. Everybody can impersonate everybody else in email, or very nearly so. It is a miracle that it’s not often used in more sophisticated ways than is being done by the dumb spammers.
Sad when you have to use an email filter that says, junk messages sent from my own address…
Addendum: That said, services like Posterous which are big on email submission/posting of content have figured out a ways to do some heuristics checks on whether a given email was likely to have been sent by the proper user.
Sounds like the FriendFeed team was uncharacteristically sloppy when they turned on their email posting, which is even weirder since these are some of the guys that built Gmail and so presumably know about SMTP vulnerabilities.
Why not just make it compulsory that all SMTP servers use a legit SSL cert?
That is quite incredible. I can imagine they want to fix that issue before they let anyone with knowledge of the issue post again.
is this Facebook’s influence on FF? just a thought
This is why Flickr has always had custom email addresses for each user and not a general (or even guessable) email address for posting photos.
haha F – FF
So I click “Read More”. And there is one more line to read, so you show more ads?
Hope it to be fixed quickly.