This site was archived on 24 April 2012. No new content can be posted. The mailing list remains online and the site will stay in this archived state for the forseeable future. If you find any technical errors on the site, please contact Callum.



CouchSurfing password security vulnerability

Warning: If you get a username / password pop up on CouchSurfing.org, click cancel, do not enter your username and password except on the CouchSurfing login page.

As of right now, I’m seeing this CSS file included on all CouchSurfing.org pages. That file links to this image. That image returns a 401 authorisation denied error. That in turn causes the browser to request a username and password, the realm is given as “CS”. If a user enters their CouchSurfing username and password, that data will be submitted to functionalfreelance.com.

This is a serious security issues as many users are likely to enter their passwords without realising what’s going on.

As far as I can tell from a scan of the whois data and dns records, there is no connection between couchsurfing.org and functionalfreelance.com. It seems likely to me that this is a hack of some sort, either deliberate or accidental. I hope accidental. Either way, this is a significant issue and needs immediate resolution by CS Inc. I have notified Casey Fenton, Jim Stone and Chris Burley directly of this issue.

3 Responses to “CouchSurfing password security vulnerability”


Comments are currently closed.