Backdoor, yeah, yeah, snicker, snicker.
August 9, 2011 12:37 PM   Subscribe

You may already be screwed. And not in the good way you were hoping for. MeFi kink favourite, FetLife has been ignoring a longstanding security and privacy compromise. (nsfw)
posted by rodgerd (57 comments total) 3 users marked this as a favorite


 
I started to read this and then came to the conclusion that, yeah, the same "compromise" exists for most blogs and other sites, including Facebook if you've got the HTTPS turned off. Web traffic can be sniffed, and encrypting web traffic is CPU expensive.

This weekend I spent a bit of time at a party talking to a friend who's chief scientist for a web security company. They're concerned about what happens when a hostile browser plug-in starts mucking with web pages in-browser. They're dealing with exploits in the wild where a compromised Windows browser shows bogus bank account values, even over SSL with all of the features turned on.

Security is a cost. That cost can show up in CPU, in convenience, or in dollars. The question is: How paranoid do you want to be. Yes, FetLife may have been misrepresenting the situation by using an SSL login and a plain-text cookie, and that's an issue, but given the number of places I've seen this linked to so far I'm gonna say "overblown".
posted by straw at 12:45 PM on August 9, 2011 [5 favorites]


so, ah, what's the news here ? There was extensive coverage of the "why you shouldn't browse at the coffee shop/open wifi" which, IIRC, is exactly what this post is about (stealing your session cookies).
posted by k5.user at 12:45 PM on August 9, 2011


I like those FetLife commercials with Snoopy.
posted by box at 12:46 PM on August 9, 2011 [40 favorites]


tl;dr: FetLife is vulnerable to session cookie hijacking (via FireSheep or the like). That means if someone can eavesdrop on your network link, they can steal your session login and impersonate you and find all your kinky secrets. FetLife does not (yet) support SSL only browsing.

The underlying problem is the Web is fundamentally broken. The first ten years of security practice were always vaguely known to be insecure, and now that public wireless networks are so common it's a significant problem. We went through this with Twitter, Facebook, etc. Facebook's still vulnerable in places, actually. The best solution seems to be to use SSL always, but that's an awfully blunt tool. I'd prefer to see work towards network level encryption, something like IPSEC or WPA2 that actually worked in practice. But that's not happening.
posted by Nelson at 12:47 PM on August 9, 2011 [2 favorites]


mefi's own congressperson, the young rope-rider...
posted by k5.user at 12:48 PM on August 9, 2011


The session does not expire when you log out, allowing reuse of the cookie. It requires access to the computer user account, the computer admin account, or listening to the traffic, which someone connected to your network (wireless even) could do. This is possible because they send the cookie by http.

Someone on fetlife's network could also listen to everyone's cookies, and someone who could listen to random internet traffic (I can't) could also listen to it, but that would be much harder.

Getting someone's cookie means you can impersonate them even after they log out.
posted by CautionToTheWind at 12:51 PM on August 9, 2011


So my professional opinion is that this is a small backdoor, even thou it is shared with many websites.

hehe
posted by CautionToTheWind at 12:54 PM on August 9, 2011 [1 favorite]


I like Maymay's blogs but I can't be bothered to care about this.
posted by Kitty Stardust at 1:04 PM on August 9, 2011


*cleans drawer of whips, chains, and novocaine.
posted by clavdivs at 1:13 PM on August 9, 2011


I can't read the link right now. Can someone tell me if I need to worry if I only browse the site from my own secure wireless network at home?
posted by desjardins at 1:13 PM on August 9, 2011


Now why would you be ruining a perfectly good session by using novocaine? The whole point is to feel the pain.

(or is there some really interesting dental kink out there that I don't know about?
posted by newpotato at 1:21 PM on August 9, 2011 [2 favorites]


My attention was captured by the heartwarming picture on the sidebar, complete with a little blog post. There really is something soft, sweet and romantic about that picture.
posted by Malice at 1:21 PM on August 9, 2011 [3 favorites]


desjardins, you're fine.
posted by straw at 1:22 PM on August 9, 2011


> You may already be screwed.

If you only read the first five words, this post could be about almost anything.
posted by The Card Cheat at 1:22 PM on August 9, 2011 [2 favorites]


Backdoor, yeah, yeah, snicker, snicker.

...

posted by rodgerd

snicker, snicker, chortle
posted by Hoopo at 1:28 PM on August 9, 2011 [1 favorite]


I like those FetLife commercials with Snoopy.

That's PetLife, I think.
posted by Blazecock Pileon at 1:29 PM on August 9, 2011 [3 favorites]


There is a MeFi kink favorite? I've been reading the wrong bits of MeFi.
posted by Bovine Love at 1:33 PM on August 9, 2011 [2 favorites]


So, what you're saying is that I can turn on Firesheep, go to my local coffeehouse, and snoop in on people who are surfing a kink dating site at a coffeehouse?

Because that sounds like a lot of time waiting around for the opportunity to mess around with someone's (ahem) digital junk.
posted by mkultra at 1:40 PM on August 9, 2011


The "irrevocable" bit is new. The cookie doesn't change if you change your password?
posted by mkb at 1:41 PM on August 9, 2011


Durr, now it does: "Thanks to the changes FetLife made last month, changing your password will allow you to regain control of your account"
posted by mkb at 1:41 PM on August 9, 2011


The one time I visited FetLife I stumbled on my (outwardly) white bread landlord's profile. It included photos of him suspended upside down by his arms and legs, with some dude's fist up his butt. Hopefully the first wasn't load bearing, but who knows.

I got my security deposit back, but if I hadn't, OH MAN.
posted by pjaust at 1:42 PM on August 9, 2011 [8 favorites]


> You may already be screwed.

If you only read the first five words, this post could be about almost anything.


The Card Cheat, as I came to this page after checking my stocks... My thoughts were pretty much, "Oh, is it about London, S&P, or Asian markets?".

This is almost a relief.
posted by IAmBroom at 1:42 PM on August 9, 2011


There is a MeFi kink favorite? I've been reading the wrong bits of MeFi.
posted by Bovine Love

Best username/comment post so far.
posted by mrbill at 1:43 PM on August 9, 2011 [9 favorites]


*Yawn*.

That was a lot of back patting and a large quantity of alarmist prose just to say that it's vulnerable to session hijacking. Yeah, so what? Virtually every site is vulnerable to that. Singling out FetLife is almost petty.

HEY EVERYONE, OKCUPID IS ALSO VULNERABLE TO SESSION HIJACKING.
posted by pmv at 1:46 PM on August 9, 2011 [3 favorites]


pjaust: I got my security deposit back, but if I hadn't, OH MAN.

OH MAN what, pjaust? You might have been tempted to engage in an awkward and potentially financially irresponsible gay fisting adventure with your landlord? He might have broken into your apartment to gay-fist you while you sleep?

He's a landlord. You're a tenant. You give him monthly checks; he lets you live in an apartment. It's really not as complicated and personal as you seem to think.

(Disclaimer: I used to rent out rooms to friends, AND I have had sex with other people.)
posted by IAmBroom at 1:53 PM on August 9, 2011 [10 favorites]


Hopefully the first wasn't load bearing

I initally read that as fist, and several minutes were wasted as i stared off into unsanitary space.
posted by CynicalKnight at 1:55 PM on August 9, 2011 [6 favorites]


I think pjaust is simply implying that if the landlord had wrongly withheld his security deposit, he would have had ample blackmail material with which to encourage the landlord to change his mind.

I, too, hope the fist was not load-bearing.
posted by Faint of Butt at 2:12 PM on August 9, 2011 [2 favorites]


pjaust - were you insinuating that you'd blackmail the guy? that is horrifying.
posted by desjardins at 2:13 PM on August 9, 2011 [10 favorites]


MetaFilter: You may already be screwed.
posted by bowmaniac at 2:38 PM on August 9, 2011


. I'd prefer to see work towards network level encryption, something like IPSEC or WPA2 that actually worked in practice. But that's not happening.

The problem with network level encryption is that you need to encrypt every hop. That's why you do it at the socket level -- the packets on the network are just jibberish, no matter what router they're going to.

Encrypting at the network level means either true point to point connections, or putting your unencrypted data on the remote router (so it can negotiate and encrypt the next hop.)

Thank you, no. The only correct answer is to treat the network as completely and utterly compromised.
posted by eriko at 2:53 PM on August 9, 2011 [2 favorites]


I'm not sure precisely what pjaust meant, but I'm going to guess that he was at least partially joking. I might be wrong, natch.
posted by box at 3:08 PM on August 9, 2011


That was a lot of back patting and a large quantity of alarmist prose just to say that it's vulnerable to session hijacking. Yeah, so what? Virtually every site is vulnerable to that.

but it's trivial to include an expiry time and HMAC in your cookies, and re-issue them as expiry nears, so that someone would need to remain continuously active to keep a hijacked session alive. not a panacea, of course, but a no-brainer layer of your defense in depth engineering. if they're using Rails, and Rails doesn't do that out of the box, then WHAT. THE. FUCK. D.H.H.?
posted by russm at 3:28 PM on August 9, 2011


Malice: My attention was captured by the heartwarming picture on the sidebar, complete with a little blog post. There really is something soft, sweet and romantic about that picture.

Congratulations. For the first time, I regret installing Mondo Image.
posted by troll at 3:37 PM on August 9, 2011


Here's the WWI hacking ace spanking the Red Baron's account pink.
posted by Smedleyman at 3:58 PM on August 9, 2011 [1 favorite]


So, what you're saying is that I can turn on Firesheep, go to my local coffeehouse, and snoop in on people who are surfing a kink dating site at a coffeehouse?

I wish it WAS a kink dating site. How hard would it be to have a "looking" flag and a location setting that isn't arbitrary towns that you may or may not know where they are, and to be able to browse people who explicitly set that flag, are in a certain range and ALSO like fetish a,b, and c, huh? Stupid fetlife. So much data and no way to use it to find someone to hurt me.
posted by John Kenneth Fisher at 4:07 PM on August 9, 2011 [3 favorites]


John Kenneth Fisher - if it WAS a dating site, I wouldn't use it, because I'd just be getting barrages of messages. I stopped visiting bondage.com for that reason. (Also because it started to suck.) It's awesome that it's not a meat market, especially if you're a woman or you're looking for a woman.

At its best, it can be like a kinky version of mefi; join some groups that pertain to your interests and post there as you would here. Your profile indicates that you are near a heavily populated area - surely there are TONS of local groups. There are at least 20 for southeastern Wisconsin, of all places.
posted by desjardins at 4:17 PM on August 9, 2011 [1 favorite]


Well, like I said, explicit opt-in to that part of it only, and only 'off to the side' so to speak. I don't mean it should be the main focus - it absolutely should not. But it seems funny to me that it offers me places to discuss politics with kinky people, argue about Doctor Who with kinky people, or talk about the last Buzzcocks album with kinky people, but makes it surprisingly hard to say "oh, by the way, I'm willing to be kinky with kinky people too."

I don't mean it should be a dating site, just that it seems to be weirdly hostile to something that some members might be interested in as well, and which can be easily segregated away from the users who are not.
posted by John Kenneth Fisher at 4:24 PM on August 9, 2011


(I should note I've heard this from multiple males and females at the places I DO meet others at as well - it's not just me)
posted by John Kenneth Fisher at 4:25 PM on August 9, 2011


Yeah, I've heard that complaint a lot too. Mostly because FetLife is probably the best fetish-related site out there, and there are not really any good fetish dating sites. So to a lot of people it would be the logical place to do that.
posted by wildcrdj at 4:29 PM on August 9, 2011 [1 favorite]


Yeah, I mean, if I could definitively opt out of receiving any dating-related messages, I'm fine with that. I think it's a really small group of people who run it - I think it was coded mostly by one guy - so maybe he either doesn't have the technical skills or the time. Maybe he'll make an API available so someone can build a search engine? Not that I have the technical skills for that :/
posted by desjardins at 4:31 PM on August 9, 2011


(or is there some really interesting dental kink out there that I don't know about?

Maybe this? (youtube link)
posted by the essence of class and fanciness at 4:32 PM on August 9, 2011


If it WAS a dating site, I wouldn't use it, because I'd just be getting barrages of messages.

Um, I get a very steady stream of propositions from guys (most local, some not) in my FetLife inbox. Am I doing something wrong?
posted by ootandaboot at 4:35 PM on August 9, 2011


Well, I got some for awhile, but it's died down. First, most of the local guys either know me or messaged me already and got ignored/rejected. Second, my pictures are not that exciting, and most of them were of a victim male partner (I set everything to private recently). Third, it's clear that I'm married, my husband's on the site, linked to me, and there's no indication in my profile that I'm looking.

Awhile back, I put up a picture of me in boots, though, and got a shitload of new mail. It's really all about the pictures - you can put NOT LOOKING in 40 pt bold and a lot of guys will still try.
posted by desjardins at 4:42 PM on August 9, 2011


Um, I get a very steady stream of propositions from guys (most local, some not) in my FetLife inbox. Am I doing something wrong?

I don't. Am I doing something wrong? Probably my lack of pics or bisexuality.

I would love if there was some sort of opt-in "looking" function. I mean, there's collarme.com, but that's the worst.
posted by the essence of class and fanciness at 4:42 PM on August 9, 2011


It's really all about the pictures

Well then, between me (I've got a good number of photos on my profile) and the essence of class and fanciness, I'd say we have solid evidence for desjardins' theory.
posted by ootandaboot at 4:57 PM on August 9, 2011


Congratulations. For the first time, I regret installing Mondo Image.

I'm sorry you feel that way.
posted by Malice at 5:26 PM on August 9, 2011 [1 favorite]


"Load Bearing Fist" is the name of my Judas Priest cover band.
posted by Mr. Bad Example at 5:43 PM on August 9, 2011 [5 favorites]


I am suprised that a site like that wouldn't be under 100% ssl.
posted by humanfont at 5:49 PM on August 9, 2011


As a geek, I used to be very conscious of accessing sites requiring my identity while on a public network. Now with the getting older and lazier and the Facebooks etcetera and now I'm at the auto shop getting service using wifi going anenenhhh... agh... oh well. So I can totally see how this can happen, and hopefully this will be enough of a kick in the ass to make me stick to not sending personal data over public spots. Thanks for the link!
posted by cavalier at 6:13 PM on August 9, 2011


And they pluck your Fet! That's not appropriate!
posted by flabdablet at 9:26 PM on August 9, 2011


I kept trying to log into FezLife, but they make it such a tassel.
posted by Blazecock Pileon at 9:28 PM on August 9, 2011 [12 favorites]


I both get a TON of unwanted traffic/propositions (despite a bunch of "please don't just proposition me for no reason" language on my profile) AND manage to use Fet to meet people, and later date/play with the people I want to....which is the connection I want, not just some generic "A/S/L/Kink" casual sex.
posted by nile_red at 9:34 PM on August 9, 2011


HEY EVERYONE, OKCUPID IS ALSO VULNERABLE TO SESSION HIJACKING.

Crap security in one place does not justify crap security in another - but if you really think the stakes of privacy leakage for the average OkCupid customer and the average FetLife user are the same, I think you've demonstrated that however much you feel you may know about web technologies, you don't know much about, well, people.
posted by rodgerd at 1:30 AM on August 10, 2011




And yeah that picture of the old dude is pretty awesome. Haters should get not nice spankings.
posted by By The Grace of God at 6:26 AM on August 10, 2011


And now FetLife is turning on SSL site wide (link requires an account).

"I'm not sure exactly when we'll start rolling out SSL to everybody yet, but it should be relatively soon."
posted by wildcrdj at 12:24 PM on August 12, 2011 [1 favorite]


Hmmmm...I don't get very many messages from unknowns on fetlife, and I have some revealing pics up...now I need to wonder.
I would love for there to be an opt in "looking" feature. I've always used alt.com for that, and it just doesn't cut it, really. I've found, believe it or not, that Craigslist actually works out pretty well on occasion..
posted by newpotato at 10:37 AM on August 13, 2011


« Older In the land of Fillory   |   It's not the one Elvis sang about... Newer »


This thread has been archived and is closed to new comments