wasn't there an exploit through avatars? fixed?

[pooya87]

i remember back in my registration date 2014 avatars were disabled and remember reading someone exploited something using avatars by injecting a code through them or something like that (memory is hazy!).

the reason i ask this is because i just noticed someone (an account from 2011) has his avatar hosted somewhere else instead of the picture being on bitcointalk!

normally the avatars are here: https://bitcointalk.org/useravatars/avatar_{some number}.png

but someone has it like this:

[Quickseller]

Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on?

[pooya87]

Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on?

as it is seen in the screenshot it is on blogspot and 38659 is the user id.
as i said it is a very old account from 2011 (so probably set it back then) and has been activated recently after 2 years.

[Quickseller]

Hmmm, it looks like I had to access http://2.bp.blogspot.com/-d0Ippz-2CN0/TWcO_2wZOiI/AAAAAAAAFZA/ZkU-bL3fUAk/s1600/eagle-4.jpg in order to view his profile. I think this could possible leak information about anyone who views his profile or a page that he posted in.

I will message theymos about this.

[digaran]

From 2011 until now isn't 2 years dude, I also wanted to have an avatar with the live bitcoin price updated every 10 minutes but I'm too lazy to keep looking into it to see if I can or not.

[pooya87]

From 2011 until now isn't 2 years dude

instead of spamming jumping into conclusion, it is best if you read first

~ has been activated recently after 2 years.

and then investigate
https://bitcointalk.org/index.php?topic=1231822.msg12871753#msg12871753
then say if it is right or wrong.

I also wanted to have an avatar with the live bitcoin price updated every 10 minutes but I'm too lazy to keep looking into it to see if I can or not.

not a good idea in my opinion
and not possible so you can not.

[minifrij]

This forum previously allowed users to attach avatars through external sources, such as the one that the affected user has.
I'm not sure when, but I expect that this feature was disabled around the time of this post. Therefore, if the user attached his avatar early enough I expect he is allowed to keep it (similar to animated avatars and users below the required activity limits).

I don't think there is any sort of exploit to worry about unless he set his avatar late on, it is likely just an early member using a feature that isn't around anymore.

[Quickseller]

Who has their avatar hosted on a non-bitcointalk website? What domain is it hosted on?

as it is seen in the screenshot it is on blogspot and 38659 is the user id.
as i said it is a very old account from 2011 (so probably set it back then) and has been activated recently after 2 years.

This has been fixed.

[zyzzbrah]

Im trying to set an avatar but im not able to find it anywhere in the options. Do you need to be full member or something?

[BitHodler]

Im trying to set an avatar but im not able to find it anywhere in the options. Do you need to be full member or something?

Yes.

[pooya87]

I found another one (u=3499)
and another one (u=32045)