Bitcoin Forum
June 18, 2019, 02:04:03 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: offsite profile image risks  (Read 665 times)
HanSolo
Newbie
*
Offline Offline

Activity: 59
Merit: 0



View Profile
June 22, 2011, 06:55:04 PM
Last edit: June 22, 2011, 07:49:04 PM by HanSolo
 #1

When viewing this thread..

http://forum.bitcoin.org/index.php?topic=21052.0;topicseen

..I got an HTTP login prompt, apparently because the page was trying to display this image from someone's profile..

http://pool.bloodys.com/?action-userbar&cmd=2a8ca8960d59854f4e04b1963161b766.png

An unsophisticated user might enter their forum.bitcoin.org credentials into that prompt.

More generally, loading offsite images is an information leak (IP addresses of forum readers) and possibly even security risk (if any browser image-handling flaw would let the source site do more, such as redirect to some other site's XSS CSRF flaw, run JS, or in a worst-case, buffer-overflow for local code execution).

I suggest in our new security-conscious era, loading of offsite images as profile icons be disabled.

1560866643
Hero Member
*
Offline Offline

Posts: 1560866643

View Profile Personal Message (Offline)

Ignore
1560866643
Reply with quote  #2

1560866643
Report to moderator
1560866643
Hero Member
*
Offline Offline

Posts: 1560866643

View Profile Personal Message (Offline)

Ignore
1560866643
Reply with quote  #2

1560866643
Report to moderator
1560866643
Hero Member
*
Offline Offline

Posts: 1560866643

View Profile Personal Message (Offline)

Ignore
1560866643
Reply with quote  #2

1560866643
Report to moderator

0% MINING FEES FOR THE NEXT MONTH. GET PAID IN BTC, ETH, XMR or RVN.

www.cudominer.com Learn More
Easily run CudoOS from a USB flash drive.
Designed for rigs. Manage your mining remotely from Cudo Console.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1560866643
Hero Member
*
Offline Offline

Posts: 1560866643

View Profile Personal Message (Offline)

Ignore
1560866643
Reply with quote  #2

1560866643
Report to moderator
1560866643
Hero Member
*
Offline Offline

Posts: 1560866643

View Profile Personal Message (Offline)

Ignore
1560866643
Reply with quote  #2

1560866643
Report to moderator
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000

No Maps for These Territories


View Profile
June 22, 2011, 07:04:13 PM
Last edit: June 23, 2011, 06:12:39 AM by John Smith
 #2

+1

also links to external HTTP images break the lock icon in HTTPS connections

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Mark Oates
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
June 23, 2011, 12:36:22 AM
 #3

Agreed.  For best security, images should be uploaded and/or cached/pulled from the bitcoin.org server before being displayed.

Not to mention image signatures are annoying as crap.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!