The previous user attempted to use html in username and description, and included a forum built-in for loading image from off-site , through a website that required ht-auth. This clever use of content could easily be abused to make it look like an extra auth for all users.

Well done!

This user could have done something more nefarious, or could have made content look like it was from DEF CON in a kind of phishing campaign on forums to draw in gullible users.

Only penalties from me?

I changed the username and user description to not use html and emoved the abusive code asking browsers load image using htauth from another server. I have copies of all of these elsewhere, and an original copy of the post which can be restored as needed.

My comment to this demonstration: I would not classify it as an attack, since it looks more like a "look at what I can do" curiosity more than "I'm going to steal user data" -- thanks for this fun! (We appreciate showing us what is possible without harming users.)

Obviously, this could be abused, as your demonstration pointed out, but it can also be used to allow users to link to images and have them load inline on the forums.

Better security would come from never loading user-submitted images in-line if not from defcon.org, only allowing links, so people can see the link they are visiting before they visit it.

Better use has been inline images from off-site.

Thanks again! I hope spammers don't get around to abusing this before we decide how to deal with future exploits.