Fixed Users can be tricked into marking content read without actually reading it

K

Kirby

Well-known member
Affected version
2.1.7
Description
Post the URL to an unread thread as [img] and view the contetn containing this BBCode

Expected Result
The attacked thread is not marked read as the user never really read it

Actual Result
XF accepts the request issued by the browser and marks the thread read

Suggested Mitigation
Prevent GET requests initiated by images from marking content read, maybe also do not change online location in this case
 
We have resolved this in 2.2. This approach was taken because it's a fairly complicated fix and the consequences of a false positive match essentially means that all threads (and some other bits) become unviewable.

The only real way to detect this is through heuristics based on the Accept header. Each browser has a distinct set of data that they pass through for this, and its contents differ in various scenarios. Hence, a false positive certainly is possible, though it's not something we've run into yet.
 

Similar threads

beerForo
  • Suggestion Suggestion
Not planned Please have Media menu choices honor the read marking setting and not hide the content
Replies
3
Views
11K
beerForo
beerForo
Top Bottom