Currently only as user. I’m posting videos on open.tube peertube instance.
I have not been able to login into two of my accounts for nearly one week.
Also I have had attacks like this one:
https://www.croatiafidelis.hr/foss/cap/cap-210216-open-tube/
At the time of this post there is only this video there:
https://www.croatiafidelis.hr/foss/cap/cap-210216-open-tube/Screen_210216_1700_gdO_s019-PART.webm
and it can be verified with:
https://www.croatiafidelis.hr/foss/cap/cap-210216-open-tube/Screen_210216_1700_gdO_s019-PART.webm.sum
and
https://www.croatiafidelis.hr/foss/cap/cap-210216-open-tube/Screen_210216_1700_gdO_s019-PART.webm.sum.asc
(my key is at:
https://www.croatiafidelis.hr/FCF13245ED247DCE443855B7EA9884884FBAF0AE.asc)
I record the network when I go online, and the screen, and I studied both these attacks and my attempts to login.
But I can’t really show those (yet), because either I would need to reveal my password or all the PCAPs will be mostly only binary crap with no HTTP conversation to see.
But I can tell that code was somehow injected when the attacks would happen like in the video. And this is the line that was injected:
<script>top.location.href="https://open.tube/videos/watch/d01e6156-81be-428e-b195-185d898908ac";</script>
in the head of HTML of the page that should have been opened.
Regarding the password, I see in the network dumps that I typed the correct password. But I always get a message saying that credentials were not correct.
I tried resetting the password, and open.tube tells me it sent me the email, but I never get that email. Could be censorship.
I will try and inform the admin about it (forgot to do it before, remembered only now).
This forum is one of the suggested ways to communicate about security issues mentioned in official docs…
What to do?
No, the forum is for Q&A. The security policy uses another, more private disclosure channel: Security Policy · Chocobozzz/PeerTube · GitHub
Hello,
open.tube seems out of date (1.4). Please contact the admin so they upgrade.
Thanks, Master! I will, I mean, hear this: I could open an account with an TLSv1-only email [*] that I have with the Croatian local near-monopoly-holding internet provider last night, so I’ll try that way. Will give the admin this topic link too.
May take me a while, to get the free time to do it.
[*] it only works if I keep:
ssl_version = tlsv1
in:
.getmail/config/miroslavrovis1\@zghthr
(I don’t mind posting it, I hold it as junk mail account. I’m the only one Miroslav Rovis in Croatia (which is some 3.8 million people), but they gave me the 1 after my surname… Molesters!
You are right.
However, this is the document I meant:
PeerTube/SECURITY.md at develop · Chocobozzz/PeerTube · GitHub
And the word forum is not there anymore (or I misremember).
But I think it was suggested in the previous, maybe more than one year old version of the SECURITY.md (or I misremember), Apology. Ferget it, pls.
I’ll try and find time to contact you --if my mail passes possible censorship-- need more time to do it.
In the meatime, via the account as I suggested in the previous post above, I contacted the amin of https://open.tube and informed him of my plight, and also gave him link to here.
Thanks!
I send email to your official email addresses, separately to @Chocobozzz, encrypted and separately to you @rigelk (you PGP-key EA12971B0E438F36 is expired for one year, Mutt can’t encrypt to it).
I send them yesterday, not long after I said I would.
I did not get any replies from any of you two. Can you tell me, did you receive my emails?
Also, I can see this topic is sandboxed. It does not appear in:
PeerTube - Framacolibri
It can’t be searched, nor found, indeed.
Why? I reported this issue here not for any dishonest reasons, but to ask for help on the issues I have and indeed to help with my report. This is open source, and the ways are such.
hi @miroR,
Thanks for notifying me, this key must be changed indeed. I received your mail btw.
Security reports need to be adressed before made public, to minimize chances of bad actors exploiting a potiential vulnerability when no patch exists. Again, this is explained in Security Policy · Chocobozzz/PeerTube · GitHub.
I answered yesterday:
Hello,
I’m sorry but I don’t understand what you are trying to say to me.
I don’t need your password.
And I don’t understand your issue. If there’s still a problem on open.tube, then try with another up to date instance.
Ah, so that is the reason. All is fine then. If it makes any sense for you, since it’s old version 1.4, i.e. unsupported, I will continue to prepare the network traces and everything, so you can see exactly what happened. I really have it documented.
Great that these emails of mine get to you and @Chocobozzz.
I am sorry. My mistake. maildrop configured such with my mail, that anything with string ‹ @framasoft.org › in email address (and your address is) goes into separate folder.
I have just found your email.
Really thanks for your patience.
I will see if things have changed with open.tube next. (I don’t work fast…)
18 hours ago I finished sending all the materials to you @Chocobozzz .
All the mails I sent used citation of previous mails so you can’t not know if any is missing from the eight (8) e-mails in a row with all the traces tls-keys and compressed casts.
Can you pls. confirm you received them? (I didn’t get any replies to any of those, just checked.)
In some of the eight emails I sent, especially in the last email, I conversed questions to @Chocobozzz.
I Got no reply yet, and I am in doubt as to even his reception of the emails.
I have nothing in my inbox from any of you two (just checked), and it’s 24 hours past.
Again, I do not understand why you sent these emails. I don’t have time to debug this outdated instance. Please try on a up to date instance.
I understand. Sorry it took me a while.
But it’s probably that not only I can’t recover my videos form open.tube, but probably (or at least potentially) other users.
And, being potentially harmful for Peertube project, I think somebody must be able to contact the open.tube administrator to fix his instance.
I have thought a lot and I am now trying to make it news on good peertube instances, see:
https://video-cave.de/videos/watch/96964495-446c-450c-aa52-efedceab90a2
And pls., if I were apt, I’d do it, but my skills are lacking: anybody thinking of some method to let users know if an instance is out of date or by other means broken, or even powned like open.tube is?
Some database that takes care to list peertube instances, help that is available to any would-be account holder for any Peertube instance?
The current problem, is there are still videos being posted on open.tube by unknowning users.
Thanks!
The video-cave.de link (it will probably not be unblocked there) I can’t delete from the previous link, as I appear to not be able to edit that post for some reason.
But the video is on:
https://video.dresden.network/videos/watch/109b1c12-5548-4222-b61c-fd0bef3b911d
and maybe also on diode.zone.
My last try before I abandon hope for open.tube recovery is at open.tube itself. I posted the same video as on other these linked instances, just the title is different, and I wrote in the hope that the admin will read that: