Shermozle's dashboard

Many apologies. This was a spam attack we just shut down, and we take it very seriously. We are closing this hole right ASAP.

Thanks for reporting.

Our sincere apologies. We are working through it, and I promise you we will update you with information -- and that we'll work diligently to make sure it doesn't happen again.

This might be a new hole: I got a notification of a reply...

--- "Get Satisfaction! (Get Satisfaction)" <noreply.satisfaction@getsatisfaction.com> wrote:

> From: "Get Satisfaction! (Get Satisfaction)"
> <noreply.satisfaction@getsatisfaction.com>
> To: "Get Satisfaction! (Get Satisfaction)"
> <noreply.satisfaction@getsatisfaction.com>
> Subject: New reply: "reply notification options"
> Date: Fri, 16 May 2008 07:48:10 +0000 (GMT)
>
> rosebaby replied to "reply notification options" an
> idea about Get Satisfaction.
>
> Hello My Dearest,,,
>
>
> I am Miss Rose, i will like to know about you ,
> please never mind to contact me with
> my mail id (rose.jones56@yahoo.com) that will
> enable me to tell you about myself
> and also send my pics.
> thanks your new friend,,,
> with love.
>
> Rose
>
> If this is a good point, visit the link below:
> http://getsatisfaction.com/satisfacti...
>
>
> To reply or comment, visit the link below:
> http://getsatisfaction.com/satisfacti...
>
> To stop following this idea, visit the link below:
> http://getsatisfaction.com/satisfacti...
>
> ----------------------------------------
> This message sent from Get Satisfaction.
> To change your email settings, visit the link below:
>
> http://getsatisfaction.com/me/notific...
>

There is no reply posted on your site.

That's just the thing, I wouldn't have thought so either. But, there isn't very many places a user's email is used or displayed in the system.

1. Email address is transferred into the system at signup, login, and password reset
2. The Email and Notifications page has a list of every address you've entered into the system
3. The company admin pages shows email addresses of the other company employees/admins
4. An email is sent to company administrators when a topic is posted to their companies. That email uses regular To: headers in the message rather than BCCs as an additional means to allow inter-admin communication. They should all have each others email address, and using normal To: headers lets a private conversation form between admins around a topic.
5. Your email is used as parts of several cryptographic hashes used for authorization in the system. Don't worry, these hashes aren't easily vulnerable to Rainbow table attacks, we salt hashes on a per user basis :-).
6. Used as a BCC field for email messages sent tp notify users of new posts.

And that's it.

1 doesn't result in the display of email addresses besides user-entered data, so it is vulnerable to man in the middle attacks, but nothing else that i'm familiar with.

I'm confident 2 and 3 are secure, but I am by no means a security expert. Apart from hijacking someones session cookies, I can't get into a profile page unless I'm signed in as that user.

4 is by design and only applies amongst company administrators.

5 is as secure as SHA1 with user-specific salting.

6: If this has been exploited, I believe that means each of our mail server have been compromised! Doubtful.

While decoding the session cookie for sensitive information is Rails-wide, This exploit is still pretty satisfaction specific. I would normally think that something outside of satisfaction was exploited, but since I have no control over anything outside I have to assume that it was our system that was exploited. Given that, the hole I fixed today is the most likely cause, until more holes are uncovered.

Ahhh. I wouldn't have thought the spammers would be quite so clever or dedicated, unless this is a Rails-wide problem?

Anyway, thanks for clearing it up. It did seem somewhat out-of-character for you guys.

Alright, so here's how it happened.

As you know, we have an email confirmation mechanism in Satisfaction. A url is given in the confirmation email messages that has a secured token that is used to confirm that you are able to receive mail at a certain address. When you navigate to that url with a valid token, you get a message to the effect of "Thanks, you have verified [EMAIL]". On the other hand, if you went to that url without a valid token it would say "I'm sorry, but the confirmation token for [EMAIL] is invalid", which is where the hole is.

For example, in your Shermozle, navigating to /people/5db0bdd0bd51f781d56fcd4ad10e25721b5cd52c/email_confirmation would give me an HTTP request with your email encoded in the response cookies. This was exposed when we switched from storing Rails flash state in our DB to using cookies (which is now the default in Rails).

I'm currently downloading the access logs from our servers to see if I can glean how many emails were compromised, and am running another sweep to find everywhere email is used in the system to make sure things are secure.

What a shitty day.

Actually, it looks like we did have a hole in our system. I've solved it and will be deploying momentarily. I'll describe the exploit after it is closed.

can you forward the email you received to me at thor AT getsatisfaction.com. We certainly didn't sell any mailing list, and I'm fairly certain we haven't been cracked. So let's see what's really going on!

Thanks for reporting it.