Public Service Announcement

If you use fetlife, you need to read this post: http://maybemaimed.com/2011/08/08/backdoor-access-to-your-fetlife-profile-remained-open-permanently/. Knowing as little as I do about web application security, I didn’t realize fetlife’s security was nearly as bad as it is. Poor security isn’t nearly as sexy as shiny new features, but I think it’s far more important given that there’s currently no legal protection against discrimination on the basis of being kinky.

If you’d like to help pressure fetlife to fix their security here’s a handy link, conveniently lifted from maymay’s post: Write to privacy@fetlife.com and complain. Just click it, edit as you see fit, and hit send. I highly recommend reading maymay’s post, but if you just want to do something quick and easy to help, go with the link 🙂

4 thoughts on “Public Service Announcement

  1. Thanks for letting us know!

    I’d like to point out that this is a bad security exploit, BUT, it’s not all that bad: Nobody can access your account unless they execute a man-in-the-middle attack, which means they pretty much have to be physically near you and targeting you (and fetlife) specifically.

    Here’s hoping there’s nobody in your life like that.

    And don’t access fetlife from coffee shops. 😛

  2. Nobody can access your account unless they execute a man-in-the-middle attack

    That’s not true, weezie. You’re currently also vulnerable to passive sniffing, and you may also be vulnerable to a number of other attack vectors, too. See this footnote.

  3. “I’d like to point out that this is a bad security exploit, BUT, it’s not all that bad: Nobody can access your account unless they execute a man-in-the-middle attack, which means they pretty much have to be physically near you and targeting you (and fetlife) specifically.”

    That’s not *necessarily* true. A person doing a man-in-the-midle attack in, say, a coffee shop or at some other publicly accessible WiFi point can run automated tools that lift vulnerable session cookies from everyone nearby, and then later sift through the stolen cookies looking for something interesting. Such a person might not have any particular interest in FetLife at all, but might still say “Hmm, here’s a Fetlife session cookie; that sounds like it might be fun to play with!” Often, folks who do this sort of thing aren’t directing their malice at any one person or site; they’re taking advantage of targets of opportunity.

    The point about not browsing Fetlife from a cafe is valid, but a better solution would be for Fetlife to implement reasonable best practices for handling session cookies.

  4. The point about not browsing Fetlife from a cafe is valid, but a better solution would be for Fetlife to implement reasonable best practices for handling session cookies.

    That’s the part that really scares me – fetlife advertises itself as a safe space for kinksters, but with security flaws like this it’s really not safe.

    Also, *squeee*! Franklin Veaux noticed my blog! Okay, I’m done fangirling now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.