Basic Summary

We have had a security problem in our OAuth implementation reported to us privately and have taken steps to address it. The security problem affects all versions of GNU MediaGoblin since 0.5.0. I have created a patch for this and released a minor version 0.8.1 (see the release notes page). It’s strongly advised that everyone upgrade as soon as they can.

In order to exploit the security issue, an attacker must have had access to a logged in session to your GNU MediaGoblin account. If you have kept your username and password secret, logging in only over HTTPS and you’ve not left yourself logged in on publicly accessible computers, you should be safe. However it’s still advised all users take the following precautions, listed below.

Users should check their authorized clients. Any client which looks unfamiliar to you, you should deauthorize. To check this:

Log in to the GNU MediaGoblin instance Click the drop down arrow in the upper right Click “Change account settings” At the bottom click the “Deauthorize applications” link

If you are unsure of any of these, click “Deauthorize”.

I would like to thank Dylan Jeffers (author of Goblinoid) for finding and reporting this to us in a responsible manner so that we were able patch this.