Aryeh Gregor wrote:
On Thu, Jul 23, 2009 at 1:37 PM, Tim
Starling<tstarling(a)wikimedia.org> wrote:
You know you could have changed that header to indicate who actually
wrote it. It's not against the laws of the internet.
To help in the
"proving trustworthy, or else" process, I have released
the source code of Watchlistr - please take a look at it. You will see
that I take the utmost care in securing user information. The wiki
logins are encrypted with AES in our database. The key used to encrypt
each user's login list is their site username, which is stored as a
SHA1 hash in our database. If a cracker were to, somehow, gain access
to the database, they would be left with a pile of garbage.
They would only have to get the site usernames to decrypt the login
info. They could get those the next time each user logs in, if
they're not detected immediately. There's no way around this; if your
program can log in as the users, so can an attacker who's able to
subvert your program.
There's plenty of ways to attack watchlistr without fully compromising
the server. There is no HTML escaping whatsoever, so the thing is full
of XSS vulnerabilities.
For the most part it's escaped for SQL on the input side, which is
hard to verify and easy to mess up. Indeed I found a place where it
was messed up, an SQL injection vulnerability. It appears to allow
compromise of any user's wiki passwords. The AES encryption does not
affect the viability of the attack, since you can use XSS to screen
scrape the unhashed username.
I contacted Cody about this privately and he confirmed that the
scripts are offline and the user database has been deleted, so we're
free to talk about it publicly.
-- Tim Starling