yep, I found it too! like this a lot more!
1 Like
Well thatās not an easter egg, you just took the whole bunnyā¦ 
3 Likes
By the way, that was not the bunny I expected people to be looking for.
What folks here are describing is actually not even an easter egg at all. It sounds more like an Easter Bug.
I wanted to do a little checking on my side before commenting, because I was unaware of this issue.
I guess with a community like this, its important to be careful what I wish for, because you folks certainly are full of surprises! (And here i thought one of you would notice that if you logged in with GitHub, it pulls your imageā¦anticlimactic, I knowā¦) I should have expected this group would take this challenge to a new level ā
Anyway, I just wanted to respond here and let you know that youre legitimately onto something.
Our own wonderful @pac is going to make a report to Discourse. Thank you to every who has done legwork on this!
3 Likes
Well, I guess I was right - there was something incredibly obvious that I missed, at least I was not the only one. We went straight to trying to hack the site.
3 Likes
I didnāt want to connect with github and change my avatar there 
I tried gravatar instead and changed my email adress. If default settings were active, it would have directly pulled my gravatar avatar but that wasnāt the caseā¦
But I guess it was a good challenge jocelyn gave us Revealed the most talented hackers among us and a bug in discourse.
2 Likes
Tried this, didnāt work for me though. But then I also have contributed to github and canāt select that title either. So that may be something specific to me.
But as I mentioned previously, I had my doubts that what we found was actually what you were referring to. To be honest, while it is a bug, itās probably not much of a security concern. It is a little worrying to see how they test whether something is allowed or not.
In short they assume you set the parameter in an API call correctly and donāt lie about it (or even omit it). And then they only check whether the value you set should be blocked. So by simply changing or omitting it, you can do something youāre not supposed to. While I liked the challenge, you really donāt have to be a pro hacker to find this. (And I am far from this)
But I should repeat though, this is not a critical point for security. The most vulnerable part of the chain we actually used supported features for. I wonāt go further than this as @Pac is reporting this bug to discourse and itās only fair to give them time to fix it. With vulnerabilities itās common practice to give at least 90 days. So for those curious to know more. Ask again in 3 months.
3 Likes
So long story short, how do I change my avatar now?
I managed to revert it to the ugly āTā you are seeing right now and my original picture is goneā¦
I could have sworn I had seen the custom avatar option when I checked yesterday, but looks like you can use gravatar now. Maybe @jocelyn is still playing with the settings. But yeah, gravatar or github should work. Or you knowā¦ try to find the bug yourself 
1 Like
This sucks, now Iām stuck with this lame āTā 
Well itās still unique
You can always sign up on gravatar though.
1 Like
thatās exactly what I didā¦I didnāt even look what gravatar wasā¦just signed up solely so I could change my avatar on hereā¦
1 Like
Itās basically just for this, except multiple websites can use the avatar you set there. The idea behind it is that you only have to pick an avatar once and all sites will use the same one. It used to be more widely adopted, but I havenāt seen it being used much recently.
As always, @BrightSilence summed it up very nicely here 
.
Despite this being a pretty low security issue, I still reported it privately for now by following their guidelines, as it allows users to perform an unauthorized operation on the Discourse API.
This way theyāll have time to assess the issue and investigate its consequences, possible other impacts and find a proper fix for it at their own pace.
I may post updates here in the following weeks depending on their feedbacks.
2 Likes
So, I had the correct idea, just got bored with it too soon to figure it out completely.
2 Likes
For anyone interested, now that both the Discourse team and the Storj team are OK for me to disclose what was the bug about, here are a few details as a follow up:
The Discourse team took the report seriously even though it was a pretty minor security breach (furthermore during the holyday season), so we discussed how to reproduce the issue and what was the core of the problem during last couple of weeks, and they committed a fix for this on the public repository a few days ago:
Basically, the idea was that:
- When uploading a picture (for your profile background for instance), the Discourse API returns the unique ID it attributed to the picture your just sent.
- The API offers a way to choose your avatar, via the
/u/<username>/preferences/avatar/pickendpoint. - You are supposed to pass to this call: the picture ID (from the upload result above) and a parameter indicating what type of resource youāre trying to pick as an avatar (
uploaded,custom,gravatar), but it wasnāt properly validating this type. - Passing an invalid type (or omitting it altogether) was bypassing the security check and made it possible to select an uploaded profile background (for instance) even though it was not supposed to be selectable as an avatar, especially when the forum was configured not to allow any upload of custom avatars.
Andā¦ thatās the story 
The master branch of the Discourse project has now been patched and this will be shipped in the next release.
3 Likes
I still find it quite funny that we both found this same method.
Just by poking a little bit. Makes you wonderā¦
Good to see they picked it up so fast though!
1 Like
@BrightSilence Agreed
What I find even more surprising is that there was a security breach exactly on the feature @jocelyn teased us with
What were the oddsā¦
Finding security issues in general must be quite hard I think, but when you know where to lookā¦ thatās different 
1 Like
Funny storryā¦ thanks BS for redirect. So, Iām not a programmer, and this might sound silly, butā¦
if you pass someone elses pictureID, can you get his avatar onto your profile? Like in a bruteforce try, utill you strike the right one.
Secondā¦ Choosing a custom avatar should be enabled for everyone. Whould make it much easier to spot who replays. Names can be difficult to remember.
It was disabled to prevent people from impersonating Storj staff I believe. I donāt disagree with you, but in the crypto space you have to be careful with these things. Lots of people trying to scam.
I donāt know if you could get someone elseās profile pic. Almost certainly not anymore, because the bug was fixed. So Iām sure additional checks are in place now.
1 Like
At the time when the bug was still here, I believe so, yes. In theory.
But the thing is it would have required you to spam the server with hundreds or HTTP requests until you find the one you want, which usually would have banned your IP pretty quickly (standard anti-ddos protection measures that are configured by any decent hosting service).
Agreed and I believe it got enabled at some point. But I see itās not anymore: some people may have abused this featureā¦ 