Boxee

usvideo.org DNS allows me to see other people's Friends' Feeds, Repositories, and Watch Later List!!!!

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: Fiona Unscheduled
  • Component/s: Server
  • Labels:
  • Boxee Build Number:
    1.0.3.17064
  • Operating System:
    Boxee Box
  • Number of attachments:
    0
  • Description:
    Hide
    I am using usvideo.org DNS service that allows me to watch US Only services like Vudu.
    by simply plugin the following ( Primary DNS 184.106.242.193 - Secondary DNS 67.23.7.56) into my router after signing up with my email.
    After rebooting the router I was able to use Vudu and some other services. When I browse my friends' feeds I see other people that I don't know. I also see someone else watch later list. I think this is a security issue which needs someone to look into

    Best wishes
    Show
    I am using usvideo.org DNS service that allows me to watch US Only services like Vudu. by simply plugin the following ( Primary DNS 184.106.242.193 - Secondary DNS 67.23.7.56) into my router after signing up with my email. After rebooting the router I was able to use Vudu and some other services. When I browse my friends' feeds I see other people that I don't know. I also see someone else watch later list. I think this is a security issue which needs someone to look into Best wishes

Activity

Hide
rafael added a comment - 06/Feb/11 5:08 AM
you are saying "When I browse my friends' feeds I see other people that I don't know. "
do you see them in Boxee Box or at Boxee website?
are you sure they are not your facebook or twitter or google buzz friends?
Show
rafael added a comment - 06/Feb/11 5:08 AM you are saying "When I browse my friends' feeds I see other people that I don't know. " do you see them in Boxee Box or at Boxee website? are you sure they are not your facebook or twitter or google buzz friends?
Hide
Hameed added a comment - 06/Feb/11 5:13 AM
I see the unknown feeds on the Boxee Box only, whereas on boxee.tv website I see only the correct friends.
I am 100% sure I don't have those people anywhere in my Facebook or other social networks.
Show
Hameed added a comment - 06/Feb/11 5:13 AM I see the unknown feeds on the Boxee Box only, whereas on boxee.tv website I see only the correct friends. I am 100% sure I don't have those people anywhere in my Facebook or other social networks.
Hide
Hameed added a comment - 06/Feb/11 6:47 AM
You can simulate this simply by signing up for a one-week trial on usvideo.org website and follow the instructions
Show
Hameed added a comment - 06/Feb/11 6:47 AM You can simulate this simply by signing up for a one-week trial on usvideo.org website and follow the instructions
Hide
Akonni added a comment - 08/Feb/11 8:10 AM
Same issue here.
Show
Akonni added a comment - 08/Feb/11 8:10 AM Same issue here.
Hide
Benoit Vincent added a comment - 08/Feb/11 2:06 PM
Same here !!! Really sad ...
Show
Benoit Vincent added a comment - 08/Feb/11 2:06 PM Same here !!! Really sad ...
Hide
Ryan Gillespie added a comment - 09/Feb/11 12:16 AM - edited
usvideo.org is hardy a DNS only service. They redirect the source IP or use cookie injection to spoof geo-tagging. I would suggest checking out their site. What we are primary seeing is another Boxee users customized settings (Favorite Apps, Show, Friends, Watch Later feed, App Repository, but not Recently Watched). How does the Boxee Box implement user authentication? Through cookies? This seems like a bit of a security issue as it would only take bit of facebook friend feed triangulation to determine who I'm currently signed in as. Perhaps we can make a game of it?

I have also noticed that early Boxee Beta Channel feeds have reappeared like Hulu, Fox, ABCFamily, BBC (which I missed) SyFy, Etc. Most shows within these feeds remain inaccessible (ie Hulu).

I might stick with my trusty VPN as usvideo.org seems a bit dodgy and I wouldn't trust using a credit card (Vudu) while using this service.

Signing out of Boxee and back in again resolves the issue but rebooting seems to replicate the problem every time.

Show
Ryan Gillespie added a comment - 09/Feb/11 12:16 AM - edited usvideo.org is hardy a DNS only service. They redirect the source IP or use cookie injection to spoof geo-tagging. I would suggest checking out their site. What we are primary seeing is another Boxee users customized settings (Favorite Apps, Show, Friends, Watch Later feed, App Repository, but not Recently Watched). How does the Boxee Box implement user authentication? Through cookies? This seems like a bit of a security issue as it would only take bit of facebook friend feed triangulation to determine who I'm currently signed in as. Perhaps we can make a game of it? I have also noticed that early Boxee Beta Channel feeds have reappeared like Hulu, Fox, ABCFamily, BBC (which I missed) SyFy, Etc. Most shows within these feeds remain inaccessible (ie Hulu). I might stick with my trusty VPN as usvideo.org seems a bit dodgy and I wouldn't trust using a credit card (Vudu) while using this service. Signing out of Boxee and back in again resolves the issue but rebooting seems to replicate the problem every time.
Hide
Hameed added a comment - 09/Feb/11 1:06 AM
I totally agree with you that VPN is way more secure. However, Boxee needs to have better security.
Show
Hameed added a comment - 09/Feb/11 1:06 AM I totally agree with you that VPN is way more secure. However, Boxee needs to have better security.
Hide
Akonni added a comment - 09/Feb/11 8:20 AM
This for sure is a security issue with the boxee. It shouldn't matter whether a cookie has been injected or not, or that we are all using the same ip. Maybe boxee is caching the info based on source ip. We still shouldn't be able to see other people's info. This is only an issue with the boxee and no other service. Imagine being able to see other people's bank info using this method. Not sure how this is fixed?
Show
Akonni added a comment - 09/Feb/11 8:20 AM This for sure is a security issue with the boxee. It shouldn't matter whether a cookie has been injected or not, or that we are all using the same ip. Maybe boxee is caching the info based on source ip. We still shouldn't be able to see other people's info. This is only an issue with the boxee and no other service. Imagine being able to see other people's bank info using this method. Not sure how this is fixed?
Hide
Ami Ben-David added a comment - 09/Feb/11 8:27 AM
Hameed, this issue should be fixed now, i cannot see other feeds / queue videos from other users now,
please verify this and keep us updated.
Show
Ami Ben-David added a comment - 09/Feb/11 8:27 AM Hameed, this issue should be fixed now, i cannot see other feeds / queue videos from other users now, please verify this and keep us updated.
Hide
Hameed added a comment - 09/Feb/11 8:38 AM
It seems fixed now, I am able to see my friends feeds only. Excellent ,
Thank you
Show
Hameed added a comment - 09/Feb/11 8:38 AM It seems fixed now, I am able to see my friends feeds only. Excellent , Thank you
Hide
Akonni added a comment - 09/Feb/11 8:54 AM
Awesome, I can confirm that it works as well. It has been a huge inconvenience not being able to see my watch later list, thank you!
Show
Akonni added a comment - 09/Feb/11 8:54 AM Awesome, I can confirm that it works as well. It has been a huge inconvenience not being able to see my watch later list, thank you!
Hide
Ami Ben-David added a comment - 09/Feb/11 9:23 AM
closed,
verified.
Show
Ami Ben-David added a comment - 09/Feb/11 9:23 AM closed, verified.

People

  • Assignee:
    Unassigned
    Reporter:
    Hameed
  • Votes:
    2
    Watchers:
    4

Dates

  • Created:
    04/Feb/11 10:04 AM
    Updated:
    Wednesday 9:23 AM
    Resolved:
    Wednesday 6:10 AM