small issue.

[rek2]

Just wanted to let everyone know that yes even most people do use fake names etc etc

anyone who is connected to a pod can make a very small script on any language and

get all the posts of that server, what the person will do with them is up in the air.. could be malicious, could be

the FBI datamining data from our users... explanation:

as is it now I can just create an account on any pod and just loop on the https://nameofpod.com/posts/xxxx from 1 to it

resolves to nill(null) and with this map users/posts on that server even thos I AM NOT CONNECTED TO THEM or they have allowerd

me to follow read their posts..

prob you guys already know about this.. but a simple check will be very easy to implement.. nobody should be able

to data mind any posts of people they have not been allowed to at first, in my opinion this is bad for privacy

as any law enforment could very easy follow someones post with out the owner having control.

a(A)a

[Sean Tilley]

Rek,

Could you explain how exactly one would write such a script, so we can figure out what needs to be checked?

-Sean

[Maxwell Salzberg]

Hi,

I can't replicate this on joindiaspora.com, or in my development enviroment.

While you can view the public posts on the pod, any limited posts are redirected to the root screen if you can not see them.

I just tested this with our seed development environment, and alice could not see any of eves private posts by url hacking.

maxwell

--
You received this message because you are subscribed to the Google Groups "diaspora-dev" group.
To post to this group, send email to diaspo...@googlegroups.com.
To unsubscribe from this group, send email to diaspora-dev...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/diaspora-dev?hl=en.

[rek2]

maybe I can only see the public ones? because I know for a fact that I was able to see other peoples post because I hit their username and they were not on my list nor I was on them.. so only explanation the post are public.. but do make sure please.

[rek2]

@sean I was just playing around with the url, I enter 10 different numbers and in most cases I was able to see the post, so I thought if I write a script that will go from 0 to whatever I could get all posts.. now is possible that most post I manually try were public.

[Maxwell Salzberg]

Yeah, its only public.

We most certainly should have a regression test for this in cucumber, if we do not already.

One small request:

I would ask that you check such a major privacy accusation a little more carefully before sending it out on a public meeting list, as I almost had a heart attack and dropped everything I was doing to check.  All in a Friday night I guess :P

Thanks again for your concern.

<33333333333333

Maxwell

[Sarah Mei]

Seriously. We do have a way to alert us privately to an exploit, if you think you've found one. The email address is expl...@joindiaspora.com and there's a link to the corresponding public key at the bottom of the README.

[rek2]

lol sorry I though about posting it on -devs  next time I will use the email.

but there is a reason I said "small issue" didnt want to call fire for something I just wanted for othe people to check.

but thanks for checking that says a lot.

--