Title: wasn't there an exploit through avatars? fixed? Post by: pooya87 on March 18, 2017, 05:44:40 AM i remember back in my registration date 2014 avatars were disabled and remember reading someone exploited something using avatars by injecting a code through them or something like that (memory is hazy!).
the reason i ask this is because i just noticed someone (an account from 2011) has his avatar hosted somewhere else instead of the picture being on bitcointalk! normally the avatars are here: https://bitcointalk.org/useravatars/avatar_{some number}.png but someone has it like this: https://i.imgur.com/HDenDCb.jpg Title: Re: wasn't there an exploit through avatars? fixed? Post by: Quickseller on March 18, 2017, 06:03:15 AM Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on?
Title: Re: wasn't there an exploit through avatars? fixed? Post by: pooya87 on March 18, 2017, 06:14:35 AM Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on? as it is seen in the screenshot it is on blogspot and 38659 (https://bitcointalk.org/index.php?action=profile;u=38659) is the user id. as i said it is a very old account from 2011 (so probably set it back then) and has been activated recently after 2 years. Title: Re: wasn't there an exploit through avatars? fixed? Post by: Quickseller on March 18, 2017, 06:36:19 AM Hmmm, it looks like I had to access http://2.bp.blogspot.com/-d0Ippz-2CN0/TWcO_2wZOiI/AAAAAAAAFZA/ZkU-bL3fUAk/s1600/eagle-4.jpg in order to view his profile. I think this could possible leak information about anyone who views his profile or a page that he posted in.
I will message theymos about this. Title: Re: wasn't there an exploit through avatars? fixed? Post by: digaran on March 18, 2017, 06:51:57 AM From 2011 until now isn't 2 years dude, I also wanted to have an avatar with the live bitcoin price updated every 10 minutes :) but I'm too lazy to keep looking into it to see if I can or not.
Title: Re: wasn't there an exploit through avatars? fixed? Post by: pooya87 on March 18, 2017, 07:25:59 AM From 2011 until now isn't 2 years dude instead of ~ has been activated recently after 2 years. and then investigate https://bitcointalk.org/index.php?topic=1231822.msg12871753#msg12871753 then say if it is right or wrong. I also wanted to have an avatar with the live bitcoin price updated every 10 minutes :) but I'm too lazy to keep looking into it to see if I can or not. not a good idea in my opinion :) and not possible so you can not. Title: Re: wasn't there an exploit through avatars? fixed? Post by: minifrij on March 18, 2017, 04:50:52 PM This forum previously allowed users to attach avatars through external sources, such as the one that the affected user has.
I'm not sure when, but I expect that this feature was disabled around the time of this post (https://bitcointalk.org/index.php?topic=110006.msg1196985#msg1196985). Therefore, if the user attached his avatar early enough I expect he is allowed to keep it (similar to animated avatars and users below the required activity limits). I don't think there is any sort of exploit to worry about unless he set his avatar late on, it is likely just an early member using a feature that isn't around anymore. Title: Re: wasn't there an exploit through avatars? fixed? Post by: Quickseller on March 18, 2017, 08:04:46 PM Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on? as it is seen in the screenshot it is on blogspot and 38659 (https://bitcointalk.org/index.php?action=profile;u=38659) is the user id. as i said it is a very old account from 2011 (so probably set it back then) and has been activated recently after 2 years. Title: Re: wasn't there an exploit through avatars? fixed? Post by: zyzzbrah on March 22, 2017, 12:58:27 AM Im trying to set an avatar but im not able to find it anywhere in the options. Do you need to be full member or something?
Title: Re: wasn't there an exploit through avatars? fixed? Post by: BitHodler on March 22, 2017, 10:14:59 AM Im trying to set an avatar but im not able to find it anywhere in the options. Do you need to be full member or something? Yes. Title: Re: wasn't there an exploit through avatars? fixed? Post by: pooya87 on April 03, 2017, 05:36:47 AM I found another one ::) (u=3499)
and another one (u=32045) |