Bitcoin Forum

Other => Meta => Topic started by: pooya87 on March 18, 2017, 05:44:40 AM



Title: wasn't there an exploit through avatars? fixed?
Post by: pooya87 on March 18, 2017, 05:44:40 AM
i remember back in my registration date 2014 avatars were disabled and remember reading someone exploited something using avatars by injecting a code through them or something like that (memory is hazy!).

the reason i ask this is because i just noticed someone (an account from 2011) has his avatar hosted somewhere else instead of the picture being on bitcointalk!

normally the avatars are here: https://bitcointalk.org/useravatars/avatar_{some number}.png

but someone has it like this:
https://i.imgur.com/HDenDCb.jpg


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: Quickseller on March 18, 2017, 06:03:15 AM
Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on?


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: pooya87 on March 18, 2017, 06:14:35 AM
Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on?

as it is seen in the screenshot it is on blogspot and 38659 (https://bitcointalk.org/index.php?action=profile;u=38659) is the user id.
as i said it is a very old account from 2011 (so probably set it back then) and has been activated recently after 2 years.


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: Quickseller on March 18, 2017, 06:36:19 AM
Hmmm, it looks like I had to access http://2.bp.blogspot.com/-d0Ippz-2CN0/TWcO_2wZOiI/AAAAAAAAFZA/ZkU-bL3fUAk/s1600/eagle-4.jpg in order to view his profile. I think this could possible leak information about anyone who views his profile or a page that he posted in.

I will message theymos about this.


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: digaran on March 18, 2017, 06:51:57 AM
From 2011 until now isn't 2 years dude, I also wanted to have an avatar with the live bitcoin price updated every 10 minutes :) but I'm too lazy to keep looking into it to see if I can or not.


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: pooya87 on March 18, 2017, 07:25:59 AM
From 2011 until now isn't 2 years dude

instead of spamming jumping into conclusion, it is best if you read first
~ has been activated recently after 2 years.

and then investigate
https://bitcointalk.org/index.php?topic=1231822.msg12871753#msg12871753
then say if it is right or wrong.

I also wanted to have an avatar with the live bitcoin price updated every 10 minutes :) but I'm too lazy to keep looking into it to see if I can or not.

not a good idea in my opinion :)
and not possible so you can not.


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: minifrij on March 18, 2017, 04:50:52 PM
This forum previously allowed users to attach avatars through external sources, such as the one that the affected user has.
I'm not sure when, but I expect that this feature was disabled around the time of this post (https://bitcointalk.org/index.php?topic=110006.msg1196985#msg1196985). Therefore, if the user attached his avatar early enough I expect he is allowed to keep it (similar to animated avatars and users below the required activity limits).

I don't think there is any sort of exploit to worry about unless he set his avatar late on, it is likely just an early member using a feature that isn't around anymore.


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: Quickseller on March 18, 2017, 08:04:46 PM
Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on?

as it is seen in the screenshot it is on blogspot and 38659 (https://bitcointalk.org/index.php?action=profile;u=38659) is the user id.
as i said it is a very old account from 2011 (so probably set it back then) and has been activated recently after 2 years.
This has been fixed.


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: zyzzbrah on March 22, 2017, 12:58:27 AM
Im trying to set an avatar but im not able to find it anywhere in the options. Do you need to be full member or something?


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: BitHodler on March 22, 2017, 10:14:59 AM
Im trying to set an avatar but im not able to find it anywhere in the options. Do you need to be full member or something?
Yes.


Title: Re: wasn't there an exploit through avatars? fixed?
Post by: pooya87 on April 03, 2017, 05:36:47 AM
I found another one ::) (u=3499)
and another one (u=32045)