I Just Logged In As You

Jeff Atwood

Jeff Atwood

2 min read Comments

I received this anonymous email a few days ago:

I found what one could call a security hole in Stackoverflow. I’m curious enough to go digging around for holes, but too ethical to actually do anything with them. However, I’m afraid that by pointing it out I’ll get banned, because a good member doesn’t poke around like I just did. I promise I did nothing with what I found out besides confirm the hole.

You may be wondering why I’m e-mailing you personally, rather than [email protected]. It’ll make sense when I reveal the hole, which is...

I logged in as you.

How? Well, there were two pieces of the puzzle, the password and the openid provider. I had a possible password; today your blog post revealed the openid provider. I logged in, freaked out that it actually worked, then logged out. The only reason I had the password is because your password is totally inadequate for someone running a site like StackOverflow. I don’t want to go into any more detail than that, but man - dictionary password!

I’ve read about the secret “hacker” badge... if you’re not going to punish me for my transgression, then I will reveal who I am and I sure wouldn’t mind getting it. Still, I can understand if you’re upset - I wouldn’t want someone else digging up my password. (That’s why I send this friendly e-mail instead of hoarding, or worst, selling, the information.)

Please, go change your openid password, before someone less ethical than I finds it.

- A friend of the site

These are the kinds of emails that make your blood run cold. Good thing I haven’t made too many enemies. Today, I mean. So far. The day’s not over, yet.

Is it true? Did someone just log in as me? I checked the OpenID logs, and sure enough, there was a valid login from an IP address I didn’t recognize. He wasn’t bluffing. He really did log in as me.

While it’s true I probably should have used a more secure password, in my defense:

  1. The particular OpenID account I use is typically for low-value logins like blog comments and so forth. It’s not exactly a high security form of identity for the use I have in mind.*
  2. The password was relatively simple, but I wouldn’t go so far as to characterize it as a “dictionary password” – it wasn’t quite “password1” or “monkey” or “happiness,” or anything like that. It was weak, yes, but dictionary password attacks, like all brute force attacks, are still for dummies.

What’s interesting about this, though, is how it happened. I’ll reveal that tomorrow, with this one hint: I’ve talked about this exact sort of vulnerability several times on this very blog.

Until then, take your best guess: how do you think this person discovered my password? I’ll highlight the best response tomorrow with the answer.

*Although as a Stack Overflow moderator I have unusual powers and probably should have used an alternate OpenID with more security.

security ethical hacking password security vulnerability openid
Jeff Atwood

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Find me: https://infosec.exchange/@codinghorror

⏲️ Busy signing you up.

❗ Something's gone wrong. Please try again.

✅ Success! Check your inbox (and your spam folder, just in case).

Related posts

There is no longer any such thing as Computer Security

There is no longer any such thing as Computer Security

Remember “cybersecurity”? Mysterious hooded computer guys doing mysterious hooded computer guy... things! Who knows what kind of naughty digital mischief they might be up to? Unfortunately, we now live in a world where this kind of digital mischief is literally rewriting the world’s history. For proof of that, you

By Jeff Atwood ·
Comments
Hacker, Hack Thyself

Hacker, Hack Thyself

We’ve read so many sad stories about communities that were fatally compromised or destroyed due to security exploits. We took that lesson to heart when we founded the Discourse project; we endeavor to build open source software that is secure and safe for communities by default, even if there

By Jeff Atwood ·
Comments
Let’s Encrypt Everything

Let’s Encrypt Everything

I’ll admit I was late to the HTTPS party. But post Snowden, and particularly after the result of the last election here in the US, it’s clear that everything on the web should be encrypted by default. Why? 1. You have an inalienable right to privacy, both in

By Jeff Atwood ·
Comments
Welcome to The Internet of Compromised Things

Welcome to The Internet of Compromised Things

This post is a bit of a public service announcement, so I’ll get right to the point: Every time you use WiFi, ask yourself: could I be connecting to the Internet through a compromised router with malware? It’s becoming more and more common to see malware installed not

By Jeff Atwood ·
Comments

Recent Posts

Let's Talk About The American Dream

Let's Talk About The American Dream

A few months ago I wrote about what it means to stay gold — to hold on to the best parts of ourselves, our communities, and the American Dream itself. But staying gold isn’t passive. It takes work. It takes action. It takes hard conversations that ask us to confront

By Jeff Atwood ·
Comments
Stay Gold, America

Stay Gold, America

We are at an unprecedented point in American history, and I'm concerned we may lose sight of the American Dream.

By Jeff Atwood ·
Comments
The Great Filter Comes For Us All

The Great Filter Comes For Us All

With a 13 billion year head start on evolution, why haven’t any other forms of life in the universe contacted us by now? (Arrival is a fantastic movie. Watch it, but don’t stop there – read the Story of Your Life novella it was based on for so much

By Jeff Atwood ·
Comments
I’m feeling unlucky... 🎲   See All Posts