Typepad security flaw – should I change blogging platform?

Keith Bohanna is as far from a rant blogger as you’ll find so when he lashes out at a company for ignoring a security flaw in one of their products for a year, particularly when that product is the blogging plaform you use yourself, you sit up and take notice –

"In May 2007 I noticed that despite the password protection on my personal blog the photographs that were contained within it were not protected – for some reason they must have been held in a separate and unsecured folder within the Typepad system."

I’ve been using a private Typepad blog as a family album too and never realized this. So I too am deeply dissatisfied that a year after Keith submitted his bug ticket "a change to correct this security issue has not been included in the
significant changes to the Typepad platform which are currently being
rolled out."
Not good enough Six Apart, not good enough.

One Response to “Typepad security flaw – should I change blogging platform?”

  1. Anil Says:

    I responded in more depth on Keith’s site, in his comments (see: http://bohanna.typepad.com/pureplay/2008/07/typepad-securit.html?cid=121440520#comment-121440520 ) but there are a few issues worth noting here:
    * Keith (and you) can have *exactly* the security over his photos that he desires with TypePad right now. Uploading the photos directly to the password protected blog and then including them in a post will restrict their access to only people who have the correct password.
    * The only way a user can access photos on his private blog without the password is if they have access to the exact web address (URL) at which those photos appear. This is true of other sites which store photos similarly, such as Flickr and Smugmug, and is exceedingly unlikely to be guessable by a random stranger.
    * There is NO SECURITY FLAW with regard to account information, billing data, private information such as passwords, or other sensitive data. The photo upload feature, admittedly, does not work as Keith would prefer (and we’re open to fixing it to meet his expectations), but it does not present a security flaw as most people understand the term.
    Most importantly, we hear that this issue matters to you and to Keith, and the fundamental platform changes we’re making to TypePad will make it easier in the future to consider the kinds of improvements you’re suggesting. I personally apologize that the current default settings aren’t what you’d prefer, and I hope you’ll be satisfied with the fact that there’s a way to get the behavior you prefer until such time as we’re able to make it more automatic.
    Please don’t hesitate to get in touch if there’s more we can do to meet your expectations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: