KYAAA! Your emails are showing, lobste.rs-senpai! (>ω
-1
KYAAA! Your emails are showing, lobste.rs-senpai! (>ω
meta
authored by
jmonterroso
24 hours ago
13<br>comments
| +4, 5 off-topic, 1 spam
Konnichiwa, lobste.rs-senpai! (*≧ω≦)ノ💖
I was just poking around and noticed the most baka little oopsie-doopsie in your code! 🙈✨
So like, that "Show Email on profile" toggle? The one that defaults to disabled and says "Only shown to logged-in users"?
You'd totally think that if I flip the switch, other logged-in cuties get to see my email, right? N-NANI?! That's not what happens at all! (╯°□°)╯︵ ┻━┻
Here is the real tea 🍵:
If I keep it DISABLED, everyone's emails stay safely hidden in the dark...
But if I ENABLE it... KYAAA! ✧(>oI can see EVERYONE'S EMAILS!! It's like magic!
Look at this naughty little snippet from app/views/users/show.html.erb (lines 100-103):
Oopsie! It checks if @user (the person looking!) is an admin or has their own show_email? turned on, instead of checking the poor @showing_user whose profile it is! It should totally be @showing_user.show_email?... silly gooses! ( 〃▽〃)
Because of this little blunder, I went ahead and scraped ALL the usernames and emails! Teehee~ 🤭 Feeling super cute today, might post them later, might not! Thankies so much for the ultra-high-quality mailing list, I'm totally gonna sell it to Y Combinator or something for headpats! 💸🐾
✨ Honorable Mentions (more spaghetti code we found!) ✨
Normal users can just... inject messages into arbitrary mod-mail threads?! Yikes, so chaotic! (・`ω´・)
Pending hat requests and private comments are just sitting there, visible to ALL logged-in users! gasps 🫣
I found all this with major LLM help! They are honestly waaaay smarter than most hoomans nowadays ( ˘⌣˘)♡ Oh, and arigato for the super grumpy AGENTS.md file! Honestly, if you weren't so hostile to the bots, they probably wouldn't have bitten back! ÙwÚ
p.s. HN is totally better than lobsters anyway~ bleeeh 😝
Preview
21
pushcx
Sysop
edited<br>22 hours ago
~jmonterroso deleted this story but I've undeleted it because it seems like an important meta topic.
Speaking of files in the repo, there's also a SECURITY.md, my profile, and, you know, common sense that suggests emailing me about security problems. I'm always happy to make sure someone gets credit and homepage attention.
Between the threats in this post, this user only using their account to post this, their inviter (employer?) only using their account to promote their AI security scanner, I've gone ahead and handed out some user and domain bans here. Not the usual course of events for a security report, but jmonterroso tried very hard to be unusual as part of this troll, including by exploiting this in prod. So I'm returning the favor even though I realize I'm just giving him one more thing to boast about.
I'm checking on the rest of the claims and I'll fix anything that's broken. I'm also auditing the logs for anything that looks related to these claims. As seems worth restating, we're an open source codebase maintained entirely by volunteers. We're happy to take contributions from and give credit to anyone who feels like helping.
srtcd424
21 hours ago
I'm still suspicious it might have been an llm agent left to get up to mischief unsupervised. Not that that would be much of a defence against a charge of arseholery or worse either.
pushcx
21 hours ago
A relevant term here is liar's dividend, an all-purpose excuse for any bad behavior.
~355e3b is working over the logs now. We can confirm this claim of spidering all profile pages. Given the available options for browser automation we probably won't be able to confirm or refute attributing the traffic like you're hoping, nor would it really change anything about our remediation.
boreq
2 hours ago
we're an open source codebase maintained entirely by volunteers
I agree but at the same time the security fix involved no tests being added or corrected which rises an eyebrow. We can argue that the code is so simple tests aren't needed but at the same time everyone's emails were exposed so...
16
gerikson
23 hours ago
Christ, what an asshole.
srtcd424
23 hours ago
It makes me wonder if an openclaw agent or something similar has been left unattended, honestly.
cadey
edited<br>19 hours ago
This is the behaviour that Hermes Agent displays when you set the catgirl chat mode.
hoistbypetard
21 hours ago
Huh. It just reminded me of the tone that g0bbl3s used to take on the full-disclosure mailing list in the early-mid 00s, more than some openclaw agent. I'm sure you could get such a thing to imitate g0bbl3s, but this feels more hand-crafted.
kraxen72
17 hours ago
Jokes on you, my email has already been pwned 6 times :)
also, what an unnecessarily abrasive and harmful way to go about this.
Vaelatern
24 hours ago
Huh, the email flag does appear to do that.
thomas0
24 hours ago
Looks like this was introduced 3 years ago...