betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

01 March 2010

Faking it on someone's tumblr blog

Push it baby, push it real good

tumblr is a blogging service that is well known for its ease of use: Basically you can send in posts to your personal (and secret) tumblr mail address and they will appear on your blog. Cool. My COREblog has a similar "moblog" feature, but I have to give some special formatted information to make the post work - and to make it authenticate, I have to include a password (which is sent in cleartext, no real security there). This morning with my friend saad we wondered about the security of tumblr's offering: Given that someone got hold of your posting address, how good are they at weeding out faked posts?

The answer: Don't let anybody know your blog's secret tumblr email-address. Being geeks and security minded, we wanted to try this out. Saad gave me his secret address and told me the address he usually posts from. Not information you find randomly on the web. But information you could spot from 2 minutes of access to a cow-orkers computer during lunch break.

Saad had said that:

according to what I've read, they use some header combination in your email to "try to tell" that [it] is you

so I was expecting not to get away too easy with this. What I tried first was to go through my mails and find an old message from saad. I copied the headers found to a text file. I then munged them along, changing dates and times of the "Received" header lines, cutting them off at a point where one could (in theory, assuming theories ran in funny mail circles) assume that a mail from his provider was routed through my server to tumblr's mail server.

I prepared the complete message, minus the "envelope from header" in the textfile. Then I opened a telnet connection to port 25 (smtp) on my own server and manually sent the message to the secret posting address.

My first attempt failed miserably. Turns out that I had made a very stupid mistake... during copy-and-pasting, no less. The copied headers had extra spaces at the end of lines, which generated an extra line break in there, resulting in non-functioning headers. tumblr didn't post that, but didn't give saad a notice of a failed post attempt either.

I gave it a second try, cleaning up things. Still no luck, but still no notice to saad either. So I went and gave it another try, just a wild shot. I simply sent a mail from my normal mail client (mutt), from one of my normal mail addresses to the blog mail address. Nothing happened... at first. A couple of hours later though, saad informed me, that I had managed to post to his blog.

Long conclusion: Maybe I had done something really wrong (hey, I don't fake mail headers all day long) or probably all the advanced header checking in tumblr indeed does work... but in the end is futile, since any valid message to the proper address will get through anyway.

Funny enough, since saad's blog is set up to post to twitter and facebook too, I generated my first ever tweet and my first ever facebook message, along with the memorable post to saad's tumblr blog. In the meantime saad has of course removed the post in question, since it wasn't written by him.

Posted by betabug at 14:24 | Comments (1) | Trackbacks (0)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< Parnitha, 3 years later | Main | Zope 2.12 eggified Installation Stuff Learned >>
Re: Faking it on somone's tumblr blog

It seems to be soo funny :P

Posted by: r0sk at March 01,2010 19:35
You can trackback to:
There are no trackbacks.