Model Mayhem security flaw reveals hidden forums for all to see

In their continuing struggle with authentication bugs, Model Mayhem reached a new low about an hour ago revealing the contents of hidden forums for all to see. Not just all members mind you but the world. This latest bug allows logged out viewers to see hidden and confidential content that is not visible to logged in viewers. Since this content is publicly viewable, I have no doubt Google and Bing are hard at work indexing the content as I write this. Last October, I made this suggestion to members of one of the hidden forums  “I suggest that everyone posting in this forum assume the information is public even though it’s in a limited view area.” Well it appears not everyone heeded my advice as moderators have since started very inflammatory threads in the mod forum. Now it has come back to bite them in the ass. Here’s a screen cap of what anyone can see on Model Mayhem without logging in.

Not only that, the brig list now has a handy little tool allowing anyone to get a summary of any members briggings and the lock log now shows the moderators who locked the thread. I shudder to see what will show up next.

  • Just had a look myself. Pretty funny. They blocked access to threads though, apparently.

  • Just had a look myself. Pretty funny. They blocked access to threads though, apparently.

  • Pingback: Model Mayhem is down again | blog.patyuen.com()

  • The smartass

    Tell the truth Pat: how many pages did you screen-cap?

    • patyuen

      Why would I need to screen cap anything? Google and Bing does a great job. It was viewable to anyone and everyone.

  • The smartass

    Tell the truth Pat: how many pages did you screen-cap?

    • patyuen

      Why would I need to screen cap anything? Google and Bing does a great job. It was viewable to anyone and everyone.

  • Mod Comment

    I am a moderator and I have to say that I’m not very happy that this happened and that the first thing said was that someone tried to exploit the site. This is so very typical of the management to just ignore problems and figure that it was an attack. If I didn’t want to keep my free VIP, I would quit.

    • patyuen

      I have no idea if you really are a moderator but I’ll respond as if you are telling the truth. No idiot would exploit a site so everyone in the world could see it. It defeats the purpose as it will be caught very quickly. (Well in theory quickly. It actually took Model Mayhem half a day)

      I suspect it was a code push or someone doing some tweaking to the authentication code.

      As for your VIP, calculate the time you spend doing Model Mayhem chores and multiply it by minimum wage. Internet Brands is a publicly traded company making millions in revenue.

  • Mod Comment

    I am a moderator and I have to say that I’m not very happy that this happened and that the first thing said was that someone tried to exploit the site. This is so very typical of the management to just ignore problems and figure that it was an attack. If I didn’t want to keep my free VIP, I would quit.

    • patyuen

      I have no idea if you really are a moderator but I’ll respond as if you are telling the truth. No idiot would exploit a site so everyone in the world could see it. It defeats the purpose as it will be caught very quickly. (Well in theory quickly. It actually took Model Mayhem half a day)

      I suspect it was a code push or someone doing some tweaking to the authentication code.

      As for your VIP, calculate the time you spend doing Model Mayhem chores and multiply it by minimum wage. Internet Brands is a publicly traded company making millions in revenue.

  • @Danielle, SOME stuff was accessible, like all the so-called “hidden” threads.
    Remember a few months ago when they did a code push & accidentally made an unknown number of random members “mods” for several hours before anyone noticed? This’s just a variation of same.

    Sadly it looks like they’re planning to blame “outsiders,” IE ME for this breakdown on their part. If it WAS an “outsider” they couldn’t have pulled the site down & fixed it in under 15 minutes. That was obviously a code rollback.

  • @Danielle, SOME stuff was accessible, like all the so-called “hidden” threads.
    Remember a few months ago when they did a code push & accidentally made an unknown number of random members “mods” for several hours before anyone noticed? This’s just a variation of same.

    Sadly it looks like they’re planning to blame “outsiders,” IE ME for this breakdown on their part. If it WAS an “outsider” they couldn’t have pulled the site down & fixed it in under 15 minutes. That was obviously a code rollback.

  • So MM do their coding every Thursday and it’s just coincidence that there was not a coding error, but rather a “someone” trying to compromise their security!

    Mmmmhmmm.

  • So MM do their coding every Thursday and it’s just coincidence that there was not a coding error, but rather a “someone” trying to compromise their security!

    Mmmmhmmm.

  • Wow. So now they’re admitting the security issue was their fault, but not crediting me or Pat for bringing it to their attention:
    http://www.modelmayhem.com/po.php?thread_id=572503&page=1#post12527399

    And FAR worse, they’ve destabilized the forums AND the PM system with the rollback.

    PMs aren’t opening correctly, aren’t sending, and are just whacked… they’re a MAJOR method of communication for a lot of members.
    Meanwhile the forums are blinking on & off regarding the order of threads, the last posts, etc.

    Ugh.

    • So they took the whole site down to fix the bugs they made with the code rollback & are now on Facebook still blaming “hackers,” saying they rolled no code, and making veiled references to people (me & Pat) “exploiting” their security.
      http://www.facebook.com/pages/Model-Mayhem/245691915584?v=feed&story_fbid=108963162456710
      and
      http://www.modelmayhem.com/po.php?thread_id=572503
      In fact Brian just posted that they’re “trying to discover” who “tampered” with MM, and is now posting about “some members” doing more than “just looking” in their open door… again, that’d be me & Pat.

      Meanwhile AVs are still randomly blinking to censored & there’re various other site problems occurring… but that has NOTHING to do with it.

  • Wow. So now they’re admitting the security issue was their fault, but not crediting me or Pat for bringing it to their attention:
    http://www.modelmayhem.com/po.php?thread_id=572503&page=1#post12527399

    And FAR worse, they’ve destabilized the forums AND the PM system with the rollback.

    PMs aren’t opening correctly, aren’t sending, and are just whacked… they’re a MAJOR method of communication for a lot of members.
    Meanwhile the forums are blinking on & off regarding the order of threads, the last posts, etc.

    Ugh.

    • So they took the whole site down to fix the bugs they made with the code rollback & are now on Facebook still blaming “hackers,” saying they rolled no code, and making veiled references to people (me & Pat) “exploiting” their security.
      http://www.facebook.com/pages/Model-Mayhem/245691915584?v=feed&story_fbid=108963162456710
      and
      http://www.modelmayhem.com/po.php?thread_id=572503
      In fact Brian just posted that they’re “trying to discover” who “tampered” with MM, and is now posting about “some members” doing more than “just looking” in their open door… again, that’d be me & Pat.

      Meanwhile AVs are still randomly blinking to censored & there’re various other site problems occurring… but that has NOTHING to do with it.

  • I love having to come here to Pats site just to find out what’s happening on MM.

    -MisterC

  • I love having to come here to Pats site just to find out what’s happening on MM.

    -MisterC

  • Don’t be such a pussy, pat. I thought you were beyond things like this, I guess I was wrong. You’re a fucking little shit eater like SLE who can’t get his nose out of Ambler’s ass. But I guess people should expect things like this from someone like you and SLE. If you don’t like it there, fucking leave. No one cares about you being there but you. PUSSY

    • patyuen

      I find your comment amusing. Therefore, it will stay.

    • Says the coward who posts anonymously LOL

    • Aaaahahahaha.

      Dear Pat’s Mama,

      You seem to not know your son at all. You are a bad parent.

      Regards,

      Laura.

  • Don’t be such a pussy, pat. I thought you were beyond things like this, I guess I was wrong. You’re a fucking little shit eater like SLE who can’t get his nose out of Ambler’s ass. But I guess people should expect things like this from someone like you and SLE. If you don’t like it there, fucking leave. No one cares about you being there but you. PUSSY

    • patyuen

      I find your comment amusing. Therefore, it will stay.

    • Says the coward who posts anonymously LOL

    • Aaaahahahaha.

      Dear Pat’s Mama,

      You seem to not know your son at all. You are a bad parent.

      Regards,

      Laura.

  • Jessica

    So, say I were to want to read the posts in the mod forum… who here was quick enough to save them? 😀

  • Jessica

    So, say I were to want to read the posts in the mod forum… who here was quick enough to save them? 😀

  • Curious

    Does anyone know if google or bing actually indexed the fuck up? How would you search for something like that?