# If you view this post...



## Socks the Fox (Mar 20, 2014)

You are now logged out of FA.







Because FA doesn't use a logout security token and browsers try to load the logout page as an image automatically, which triggers the logout.

If the logout had a security token, and rejected logout attempts that didn't have this token, the post would do diddly squat.

I'm not the first to find this. I wonder if the coder that did this also worked on Community Server...


----------



## Draconas (Mar 20, 2014)

The image or whatever isn't loading


----------



## Icky (Mar 20, 2014)

Oh man, that is fantastic. Brb, using this everywhere.


----------



## Socks the Fox (Mar 20, 2014)

Draconas said:
			
		

> The image or whatever isn't loading



Doesn't need to, you should still be logged out.

Edit: also this thread's gonna be a pain to respond to until a mod does something X3


----------



## Icky (Mar 20, 2014)

Socks the Fox said:


> Doesn't need to, you should still be logged out.
> 
> Edit: also this thread's gonna be a pain to respond to until a mod does something X3



Well, the login for the forums are separate from the main site, so you can be logged out there and not even know it :u


----------



## Xela-Dasi (Mar 20, 2014)

Wow, Not bad.


----------



## Kalmor (Mar 20, 2014)

Staff are aware of the issue. Just a warning in the meantime, anyone found exploiting this in any way will be punished, even though it's an inconvenience rather than a security issue.

... Now I have to log in to FA again....


----------



## BRN (Mar 20, 2014)

Â£3 to anyone who uses it as a sigpic.


----------



## Kalmor (Mar 20, 2014)

BRN said:


> Â£3 to anyone who uses it as a sigpic.


This is what I mean by exploiting it.


----------



## Socks the Fox (Mar 20, 2014)

If it makes you guys feel any better The Daily WTF's forums suffer from the same problem. Not sure how much longer though, there's talk of switching to a slightly less WTFy forum software...


----------



## Kragith Zedrok (Mar 20, 2014)

ok then I ignored this when it happened to me. Interesting that its does this. Just refreshed and logged in normally after.

EDIT: Why do I have to constantly log in now ?


----------



## Socks the Fox (Mar 20, 2014)

FFox97 said:


> ok then I ignored this when it happened to me. Interesting that its does this. Just refreshed and logged in normally after.
> 
> EDIT: Why do I have to constantly log in now ?



It should only log you out if you view this thread, so every time you're here it'll log you out. Other than that it shouldn't be keeping you logged out.


----------



## Kragith Zedrok (Mar 20, 2014)

Socks the Fox said:


> It should only log you out if you view this thread, so every time you're here it'll log you out. Other than that it shouldn't be keeping you logged out.


No now its doing it on every forum section lol I think I think I broke it. 

EDIT: Restarting browser fixed that.


----------



## SpikedKanine (Mar 20, 2014)

Welp.

She's not wrong.
It logs you out. 

It's beyond me how such trivial things make FA freak out and do stuff like this.


----------



## Kesteh (Mar 20, 2014)

No logout security token.

What the flying fuck seriously? I'm done.


----------



## Farts (Mar 21, 2014)

Raptros said:


> Staff are aware of the issue.



Haven't they been aware of the issue for three years?
http://eevee.livejournal.com/329817.html

And just how many of these other security issues have yet to be resolved?


----------



## LizardKing (Mar 21, 2014)

Socks the Fox said:


> You are now logged out of FA








Denied

Added this 3 years ago when it was last making the rounds, when it also worked with journals/watches/favourites/etc



> The Following User Says Thank You to Farts



lol


----------



## kayfox (Mar 21, 2014)

Raptros said:


> Staff are aware of the issue. Just a warning in the meantime, anyone found exploiting this in any way will be punished, even though it's an inconvenience rather than a security issue.
> 
> ... Now I have to log in to FA again....



This is infact a security issue.

OWASP 2013 Top 10, A8: 8-Cross-Site Request Forgery (CSRF) -- A CSRF attack forces a logged-on victimâ€™s browser to send a forged HTTP request, including the victimâ€™s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victimâ€™s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

https://www.owasp.org/index.php/Top_10_2013-Top_10

So, lets talk about impact, the impact is a denial of service, your logged out when you didint intend to.  

So, this is a security issue.

~ Someone who's title includes "Security" and "Engineer"


----------



## Gryphoneer (Mar 21, 2014)

LizardKing said:
			
		

> lol


>>not fixing a known exploit over the course of more than three years

Lol indeed, lol indeed...


----------



## Duality Jack (Mar 21, 2014)

Raptros said:


> This is what I mean by exploiting it.


Damn No fun.

Totally wanted too.


----------



## Socks the Fox (Mar 21, 2014)

Raptros said:


> anyone found exploiting this in any way will be punished



Awww, I just got finished adding this to my sig on every forum I visit...

J/K I'm not that evil.

*logs back in... again...*


----------



## Verin Asper (Mar 22, 2014)

If this security hole still exist (cause 3 years is not enough time for FA to fix this one, Lexy Eevee must be proud still)
Does that mean the one where if you do the same thing, you automatically make a journal of which the person doing said exploit wants you to make?
Or fave a specific picture?, or heck even if they see the image you automatically watch them on FA?

I hope FA isnt relying on "We hope no one knows about these exploits" cause it ends up actually people using em and not being known that people are using em.


----------



## Socks the Fox (Mar 22, 2014)

Verin Asper said:


> If this security hole still exist (cause 3 years is not enough time for FA to fix this one, Lexy Eevee must be proud still)
> Does that mean the one where if you do the same thing, you automatically make a journal of which the person doing said exploit wants you to make?
> Or fave a specific picture?, or heck even if they see the image you automatically watch them on FA?
> 
> I hope FA isnt relying on "We hope no one knows about these exploits" cause it ends up actually people using em and not being known that people are using em.



A quick check shows all of those have validation tokens, so it's not like they don't already have some sort of security token thing in place. If the code were sane it'd just be tacking one on to the logout link as well, but then again this is FA's code we're talking about.


----------



## LizardKing (Mar 22, 2014)

Verin Asper said:


> Does that mean the one where if you do the same thing, you automatically make a journal of which the person doing said exploit wants you to make?
> Or fave a specific picture?, or heck even if they see the image you automatically watch them on FA?



Nah, that was fixed a while back. Those require a token now. Logout seems to be the only one left.

Edit: Bloody ninjas.


----------



## InSaneJoker (Mar 22, 2014)

You're starting to become one of my fav people.


This made me lol so much XD 
Now I have to login again...


----------



## Draconas (Mar 30, 2014)

Forgot to close this thread, wondered why I was logged out every time I open chrome.


----------



## Socks the Fox (Mar 31, 2014)

At least now there's a new page, so I don't have to go "Oh god someone replied to the thread..."


----------



## Sar (Apr 1, 2014)

I use chromium and it doesn't log me out. It should not be a problem to anyone unless you are using someone else's account. It is one of the more random things for other people.


----------



## Duality Jack (Apr 1, 2014)

Sarukai said:


> I use chromium and it doesn't log me out. It should not be a problem to anyone unless you are using someone else's account. It is one of the more random things for other people.


Chromium is a tad smarter than it's Windows native sibling.


----------



## CallMeCactus (Apr 1, 2014)

HA, I DON'T HAVE A FA!


----------



## Sar (Apr 1, 2014)

Mokushi said:


> Chromium is a tad smarter than it's Windows native sibling.



Chromium Browser is better for things since Google somehow fucked up chrome for me.


----------



## Volkodav (Jun 29, 2014)

This still happens. |:
It's been months and it hasn't been fixed.


----------



## Socks the Fox (Jun 29, 2014)

Apparently it's been years, actually. Don't hold your breath on it. I'd say Phoenix would probably have the same bug, but that would imply Phoenix ever getting finished.


----------



## PheagleAdler (Jun 30, 2014)

Socks the Fox said:


> Apparently it's been years, actually. Don't hold your breath on it. I'd say Phoenix would probably have the same bug, but that would imply Phoenix ever getting finished.



if they're building it from the ground up, I think that'd be hard to determine, especially at this point.


----------

