hilarious security bug and possible ramifications

[GoogleCodeExporter]

It appears that while email addresses are checked when registering users, 
avatar names are not. SimianGrid appears to change the details of the old user 
to reflect the new details. This includes the UUID.

At this point I was also unable to log in to the front end. It appears there is 
some kind of caching going on in the sgf_users table.

Original issue reported on code.google.com by jonaf...@gmail.com on 12 Aug 2010 at 1:12

[GoogleCodeExporter]

Original comment by jonaf...@gmail.com on 12 Aug 2010 at 3:41

• Added labels: Milestone-0.5

[GoogleCodeExporter]

spoke with jhurliman about this. simiangrid itself is inherently 'open' as can 
be. the fix is for the frontend to check if the user exists.

Original comment by jonaf...@gmail.com on 14 Aug 2010 at 3:20

[GoogleCodeExporter]

To add a bit more info how we arrived at the decision, across the SimianGrid 
APIs the add-or-update pattern is a lot more common request than just add, so 
we normalized all of the APIs to use the same pattern for simplicity. That 
means in a few cases like user registration you need to query if an account 
exists before creating it. The Name and Email should both be checked though, so 
we should think about tweaking the search API to allow multiple fields to be 
searched at once with an OR operator.

Original comment by jhurlima...@gmail.com on 14 Aug 2010 at 4:40

[GoogleCodeExporter]

Original comment by jonaf...@gmail.com on 12 Sep 2010 at 4:25

• Changed state: Fixed