Insecure handling of notes in Slashcode

From: jesus lovejones (
Date: 09/08/01

Date: Sat,  8 Sep 2001 01:06:32 -0400
Message-Id: <>
From: "jesus  lovejones" <>
To: <>
Subject: Insecure handling of notes in Slashcode

Security Advisory - September 9, 2001's Slashcode

The implementation of private notes on's Slashcode-driven site is insecure. Any logged in user can view any message in the system.

After logging into the site as a user, (where m_id= a given message's ID) will display the message, even if you weren't the user that the message was sent to. says "Automatic Media takes the matter of our users' privacy very seriously." Some of the user data exposed through this bug would argue otherwise.

Versions Affected:
Beats me. I searched Slashcode's bug tracker and didn't find any related entries; I don't know what version of Slashcode's running and I don't know if notes is a feature of Slashcode or something they rolled in after the fact, so I can't say how endemic this bug is.

I e-mailed and last Friday evening with this information, recommending that they purge the notes database and add a disclaimer on the messaging pages, and still haven't heard back from them.

Get your own FREE Email account at... - The dead come back to life, just for you.