From eb2303f08c23c22ded6b1290abd86b0e4f4d8235 Mon Sep 17 00:00:00 2001
From: zooko <>
Date: Fri, 24 Aug 2007 16:42:34 +0000
Subject: [PATCH] [Imported from Trac: page OldNews, version 7]

---
 OldNews.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/OldNews.md b/OldNews.md
index 2f5cef7..462e389 100644
--- a/OldNews.md
+++ b/OldNews.md
@@ -4,6 +4,26 @@ See also [new News](News).
 
 ## Archived News Items
 
+### 2007-08-21 -- security flaw
+
+Nathan Wilcox has discovered that the new web API in allmydata-tahoe
+version 0.5 is vulnerable to XSRF attack.  An XSRF -- or "Cross-Site
+Reference Forgery" attack -- is one in which an attacker creates an 
+innocuous-looking hyperlink, and if a user clicks on that hyperlink 
+then it causes deletion or theft of the user's data.  We are working 
+on a fix for this problem, and in the meantime if you have stored any 
+private or precious data on a tahoe grid, then you can make sure that 
+you are not exposed to this threat by shutting down your tahoe node
+before browsing the web. 
+
+You can read more about the attack and our fix in the mailing list archves:
+
+<http://allmydata.org/pipermail/tahoe-dev/>
+
+and in this bug tracker ticket:
+
+<http://allmydata.org/trac/tahoe/ticket/98>
+
 ### 2007-08-17 -- Allmydata Tahoe v0.5 is released.
 
 [release announcement and discussion](http://lists.zooko.com/pipermail/p2p-hackers/2007-August/001209.html)