diff --git a/OldNews.md b/OldNews.md
index 2f5cef7..462e389 100644
--- a/OldNews.md
+++ b/OldNews.md
@@ -4,6 +4,26 @@ See also [new News](News).
## Archived News Items
+### 2007-08-21 -- security flaw
+
+Nathan Wilcox has discovered that the new web API in allmydata-tahoe
+version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site
+Reference Forgery" attack -- is one in which an attacker creates an
+innocuous-looking hyperlink, and if a user clicks on that hyperlink
+then it causes deletion or theft of the user's data. We are working
+on a fix for this problem, and in the meantime if you have stored any
+private or precious data on a tahoe grid, then you can make sure that
+you are not exposed to this threat by shutting down your tahoe node
+before browsing the web.
+
+You can read more about the attack and our fix in the mailing list archves:
+
+
+
+and in this bug tracker ticket:
+
+
+
### 2007-08-17 -- Allmydata Tahoe v0.5 is released.
[release announcement and discussion](http://lists.zooko.com/pipermail/p2p-hackers/2007-August/001209.html)