Gravatars Are Gone

scottalanmiller

Sorry everyone, but @aaronstuder discovered a vulnerability in the Gravatar plugin for NodeBB (our platform here) and we had to disable it. People had had their private emails exposed via the plugin. So we had to abandon that plugin. We are now using the local avatar functionality. I know that this is a pain but it does have some security benefits.

Please take a moment to upload an avatar to your account and we will get everything back to normal. Sorry for the inconvenience.

But on a positive note, we got emojis back.

gjacobse

@scottalanmiller said in Gravatars Are Gone:

Sorry everyone, but @aaronstuder discovered a vulnerability in the Gravatar plugin for NodeBB (our platform here) and we had to disable it. People had had their private emails exposed via the plugin. So we had to abandon that plugin. We are now using the local avatar functionality. I know that this is a pain but it does have some security benefits.

Please take a moment to upload an avatar to your account and we will get everything back to normal. Sorry for the inconvenience.

But on a positive note, we got emojis back.

And that is why I can't do programming... I get frustrated with that.. Fix one thing, break another,..But that is evolution to a degree.

Thanks for figuring it out.

DustinB3403

No problem, issues happen. Hopefully the damage isn't to bad.

scottalanmiller

The resulting outage was fast. Just a couple of minutes of downtime. We got everything to the very latest patches while doing it, which probably is what fixed the emojis. We were up to date, but they release updates that aren't announced at times and don't change the version number, which is problematic.

Alex Sage

This post is deleted!

nadnerB

Nice catch @aaronstuder

Deleted74295

I have my face back without uploading a new image

scottalanmiller

@Breffni-Potter said in Gravatars Are Gone:

I have my face back without uploading a new image

Magic

bbigford

Nobody ever screws up. It's inhuman to ever make a mistake.

Just kidding, I don't care that much. Shit happens. I think we're all smart enough to do multi factor authentication with email among other layers sooo we're good.

Dashrender

@scottalanmiller said in Gravatars Are Gone:

But on a positive note, we got emojis back.

YEAH!!

dafyre

Where is the vulnerability at? Is it in the NodeBB plugin or in Gravatar?

scottalanmiller

@dafyre said in Gravatars Are Gone:

Where is the vulnerability at? Is it in the NodeBB plugin or in Gravatar?

The plugin.

dafyre

@scottalanmiller said in Gravatars Are Gone:

@dafyre said in Gravatars Are Gone:

Where is the vulnerability at? Is it in the NodeBB plugin or in Gravatar?

The plugin.

Cool. I'm assuming it has been reported?

scottalanmiller

@dafyre said in Gravatars Are Gone:

@scottalanmiller said in Gravatars Are Gone:

@dafyre said in Gravatars Are Gone:

Where is the vulnerability at? Is it in the NodeBB plugin or in Gravatar?

The plugin.

Cool. I'm assuming it has been reported?

Yes, and there was a PR issued within minutes and the plugin got pulled within a few hours. but we were already off of gravatar and it has caused so many issues (and complaints) that now that we made the leap off of it AND that we have CloudFlare, the value to keeping Gravatar seems low. So we are not going back down that path.

dafyre

@scottalanmiller said in Gravatars Are Gone:

@dafyre said in Gravatars Are Gone:

@scottalanmiller said in Gravatars Are Gone:

@dafyre said in Gravatars Are Gone:

Where is the vulnerability at? Is it in the NodeBB plugin or in Gravatar?

The plugin.

Cool. I'm assuming it has been reported?

Yes, and there was a PR issued within minutes and the plugin got pulled within a few hours. but we were already off of gravatar and it has caused so many issues (and complaints) that now that we made the leap off of it AND that we have CloudFlare, the value to keeping Gravatar seems low. So we are not going back down that path.

Out of curiosity... How does Cloudflare help with that? Does it cache the images, etc?

scottalanmiller

@dafyre said in Gravatars Are Gone:

Out of curiosity... How does Cloudflare help with that? Does it cache the images, etc?

Yes, it acts as a content delivery network for the static content out in front of the "real" server and it caches globally so people get the image content from local servers with low latency and high bandwidth instead of pulling it all from the single site in New York. So it lowers the load on the server while providing a better experience for the end users. Gravatar does the same kind of thing, it is a content delivery network, but CF does it better and more easily and is a bigger scale so it all works out well.

dafyre

I've noticed a marked improvement this morning. I was AFK over the weekend and didn't get to fumble around as much as usual.

scottalanmiller

@dafyre said in Gravatars Are Gone:

I've noticed a marked improvement this morning. I was AFK over the weekend and didn't get to fumble around as much as usual.

The CF cache has warmed up which is helping.

IRJ

test

dafyre

@IRJ said in Gravatars Are Gone:

test

You.... shall not.... pass!