Shared publicly  - 
 
I helped maymay with the noneditorial parts of this, so can vouch for their accuracy. It's a good find on his part, but sadly it's not very technically interesting to people who know this stuff. Rather, it's an inexcusably basic security fuckup by FetLife.

After being notified over a month ago, FetLife has taken some preliminary but inadequate measures to protect their users' security. Fact is, session capture / replay attacks are real, easy, and in this case potentially extremely damaging. What's sad is that they're not that hard to mitigate technically; FL simply failed to do so after having completely adequate time to respond before publication.

Tsk.

http://maybemaimed.com/2011/08/08/backdoor-access-to-your-fetlife-profile-remained-open-permanently/
1
1
Polly Honestly's profile photoLiz Fong-Jones's profile photoSahra Santosha's profile photo
 
Huh, how did this not show up in my stream? Thanks for the pointer.
Add a comment...