[Imported from Trac: page OldNews, version 7]

OldNews.md

@@ -4,6 +4,26 @@ See also [new News](News).
 
 ## Archived News Items
 
+### 2007-08-21 -- security flaw
+
+Nathan Wilcox has discovered that the new web API in allmydata-tahoe
+version 0.5 is vulnerable to XSRF attack.  An XSRF -- or "Cross-Site
+Reference Forgery" attack -- is one in which an attacker creates an 
+innocuous-looking hyperlink, and if a user clicks on that hyperlink 
+then it causes deletion or theft of the user's data.  We are working 
+on a fix for this problem, and in the meantime if you have stored any 
+private or precious data on a tahoe grid, then you can make sure that 
+you are not exposed to this threat by shutting down your tahoe node
+before browsing the web. 
+
+You can read more about the attack and our fix in the mailing list archves:
+
+<http://allmydata.org/pipermail/tahoe-dev/>
+
+and in this bug tracker ticket:
+
+<http://allmydata.org/trac/tahoe/ticket/98>
+
 ### 2007-08-17 -- Allmydata Tahoe v0.5 is released.
 
 [release announcement and discussion](http://lists.zooko.com/pipermail/p2p-hackers/2007-August/001209.html)