SHARE
TWEET

PLEASE stop publishing commenter email addresses.

a guest Jan 22nd, 2016 69 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. Title:  Will En form able confirm the following info & if confirmed, PLEASE stop publishing (intentionally or otherwise - most likely unintentionally) it's COMMENTER's eMAIL ADDRESSES?
  3.   Warned over 50 days ago!  No hacking required, nor involved.  :(
  4.  
  5.  
  6. I first noted this in November of 2015.
  7. Last confirmation was obtained about two weeks ago.  I don't know if said information disclosure is still occurring.  Also unknown to me is how long this has been ongoing.
  8.  
  9. Some background info follows.
  10.  
  11.  
  12. 2009 --> http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea
  13. https://kevtownsend.wordpress.com/2013/12/13/what-lessons-should-we-learn-from-the-disqus-security-breach/
  14.  
  15.  
  16. It potentially gets much worse when a well-known & well-read site seemingly publishes commenter's email addresses.  Would this not at least theoretically affect both anti AND pro "nukular" communities?
  17.  
  18.  
  19. If your going to use avatars on a Wordpress framework, should they not all be cached on your server, perhaps addressed via a SALTED MD5 (at least SHA1) hash?  How about an avatar simply based upon commenter pseudoname?
  20.   This kind of shite has apparently been known over the web for SEVEN YEARS!
  21.  
  22.  
  23. For repeatability purposes i will disclose some of my configuration, to aid anyone attempting to confirm or deny this alleged information disclosure issue.
  24.  
  25.  
  26. DISCLAIMER:  At your own risk.  Am making no claims for security of your own configuration.  Also, if you value the contents of your hard drive, you might consider disconnecting it at least (with ALL power sources fully disconnected first ... don't set your drive on a speaker magnet if it's "spinning rust".  DON'T work with electronics if static electricity is an issue --> BE STATIC SAFE!).  DO make a viable verified backup of your hard drive first if you care about your data, as i will not be held responsible for ANY data or other loss.  If you aren't familiar with many of the concepts presented in this document, don't even try.  Generally, you shouldn't have to remove the hard drive, as long as you don't hit "Install LinuxMint", but ... hey, it's YOUR data.
  27.   If you are desiring to harvest email addresses from Enformable that is strongly discouraged and could be considered hacking, & thus if true i would hope he catches your ass & you fry in a vat of capsicum oil & razor blades whilst Yamashita himself laughs & smiles the biggest cheshire grin IN YOUR FACE!  Five minutes of that might be preferrable to the potential legal implications, so ... simply don't.  :)
  28.  
  29.  
  30. After reading one of his articles offline, i noted email addresses to the left of each comment where user-image or Gravatar "snowflake" or other avatar usually is, including what appears to be REAL NAMES making up such email addresses.  No hacking was utilized.  It appears the leakage occurs via "Alternate Text", which may also be viewable via FireFox's "View Image Info" context menu.
  31.  
  32.  
  33. A need to read articles in my spare time & to reduce my "profile" on the interweb & to reduce possibility of attack inspired me to simply copy articles via simple html for my own private viewing and educational purposes ONLY (NOT for public exhibition NOR distribution).  Most pictures do not get copied via this method, as it is mostly text.  That is how i stumbled upon this dreadful quagmire (giggidy).
  34.  
  35.  
  36. I use Linux Mint burned onto DVD disc (to avoid potential issues via badUSB -- granted, it's not as fast as making or using a flash thumbdrive).  http://distrowatch.com/table.php?distribution=mint
  37.  
  38.  
  39. Saving web pages for later viewing is accomplished via FireFox's "drag & drop" feature within linuxMint.  To do so, navigate to the page you wish to save, then hover the mouse pointer over the little icon to the immediate left of the web address in the address bar.  Click & hold the left button of the mouse, then drag the pointer to either the Desktop, or a folder (via Nemo ... also called "Files" to the right of the "Menu" at the lower-left corner of the screen).  Press and hold the <Ctrl> button (whilst holding down the left button of the mouse, as noted) until a little + sign shows up.  Let go of the mouse button, and a new file should be created.  Drag & drop ... simple, neh?
  40.  
  41. Ensure to disconnect the internet & clear history (& cache?) before viewing pages seems appropriate.
  42.  
  43.  
  44.   A javascript blocker, such as No$cript is utilized (to prevent infection via "malvertising").  All whitelisted sites are removed via the Tools/Add-ons configuration page.  Rules are applied to whitelisted sites, for those internal firefox addresses that remain.  Ghostery is also utilized, although that may be optional.  These configuration changes should be done before attempting to "drag & drop" a web page.
  45.  
  46.  
  47. Rather than attempting to exploit such information, i reported my findings to Enformable in a polite and timely manner.  No threats were issued, nor any demands (financial or other gain).  I truthfully indicated the he was the only person i revealed this information too, and did not offer nor threaten to divulge it elsewhere.
  48.  
  49.   I did request that he please fix the issue though.  The issue was therefore reported properly.
  50.  
  51. I suggested that if he agreed to fix the leakage that he could post a reply to Bobby's Blog, asking how he is doing.  
  52.  
  53.  
  54. Imagine my shock after reading Rob's latest article, posted a couple of days later.  I didn't speak for Rob, yet i very much regret even mentioning his blog.  It was very stupid of me.  I don't doubt that Rob hates me now.  Had hoped he would receive a "Merry Christmas" greeting from Enformable, and therefore that the issue would be fixed, and i would never mention it to anyone else.  This was the first time i've directly seen anything like this first-hand.  What was garnered from my efforts? It would seem like hate-mail to Bobby (a decent fellow whom is cereberally very gifted, IMHO), whom is very ill!
  55.  
  56. "Hi Rob, how are you doing?" ... How hard would that have been to do??  That would have convinced me that the message had been received, and all would be OK, and that no further email addresses could be disclosed.
  57.  
  58.  
  59. Perhaps i might be "too quick to leap to conclusions" (femfaust quote), yet all that is laid out here are hypotheses.  Confirmation is key to conclusions, neh?
  60.  
  61.  
  62. It has been well over 30 days since first reporting this via (an insecure http) tip submission.  (could that have been intercepted???  IDK. seems too speculative.)
  63.  
  64.   It appears no fix is in the works, and am intimidated to visit that site any further, let alone communicate with that site's owner.  I'm not the one disclosing commenter's email addresses & steadfastly refuse to do so, especially via screenshot as requested Jan9 by femfaust.  http://letsdoandsaywedid.blogspot.ca/2015/10/people-or-why-i-dont-get-out-much-talk.html  Quote:  "am not able to reproduce your experience, and i have tried a few ways. perhaps you could take a screenshot? " ... "where is the first comment that was left on this page?"
  65.  
  66. Censorship sucks, and am assuming it was Goggle's wares involved, as this is certainly not the first time such a thing has happened to me utilizing (dirty) blogger platform to comment.  I did post two comments there on both sites, and all four times "Your post has been received & is awaiting moderation." [paraphrased] did in fact appear.  Note:  this isn't an accusation against either femfaust or stock, it is simply an account of my experience.  No offense intended - to anybody.  http://nukeprofessional.blogspot.com/2014/11/virus-laden-troll-links-at-enenews.html?showComment=1452379343675#c1030283075081244989
  67.  
  68. I would continue the discussion there, yet am tired of reposting my comments via (dirty) blogger (so-to-speak).
  69. The excessive use of JavaScript is something else that rubs me wrong, and i will be avoiding such sites in future.  That is not a recommendation per se, yet simply a choice.
  70.  
  71. Another funny artifact of drag&dropped html pages from blogger sites seems to be a >Delete< button that appears only on such saved pages.  I have never tried using any of them, as that would seem like hacking to me, and I'm no hacker.  That would violate the "Golden Rule", at the very least.
  72.  
  73. Quote of stock:  "Very annoying Google/Blogger"  http://nukeprofessional.blogspot.com/2014/11/virus-laden-troll-links-at-enenews.html?showComment=1438106011010#c8207931412442393721
  74. Paraphrased Quote of Todd Bertuzzi:  "It is what it is.  I know that now."
  75.  
  76. Respectfully though, in my humble opine, Gravatar seems worse.
  77.  
  78.  
  79. Wondering how long that site may have been leaking people's email addresses, seemingly in violation of that site's Privacy Policy.  I have no answer - whois info might indicate possibly early 2014, maybe earlier.  Internet Archive backups of his web pages don't seem to be participating in said alleged info disclosure.
  80.   Am hoping beyond hope that this hasn't been ongoing since Enformable originally published freedom of info before or immediately after apparently originally obtaining such.
  81.  
  82.  
  83. Maybe if a few commenters were made aware of this, and verified their own information exposure (and only their own - if that is still legal to do ??), they might comment to him & a fix be rapidly implimented whilst retaining existing commentary.
  84.  
  85.  
  86. I really like the articles there, and his reporting seems excellent.  WTF?  
  87.  
  88.  
  89. PS:  Saikado Hantai!!!  NO MORE MELTDOWNS OR MELTTHROUGHS, DAMMIT!!! (& how 'bout a manhatten-style project to do something meaningful with all that 'frackin' waste?)
  90.  
  91.  
  92. PPS:  DON'T respond to me, if you confirm the issue - TELL ENFORMABLE!!!!  Tell him he might owe Bobby1 an apology, if that was his hate mail.  Be polite.  Am reminded that everybody is entitled to a bad day.  Perhaps he had one.  Looking at the industry he deals with, that might explain things, somewhat.  Look at all the druggies & nutters with guns or other extremists he publishes about.  May God help us all.  :o
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top