'This site can't be reached' error when clicking on username on People page

Platform (Android, iOS, Website): Website

Browser, if a website issue (Firefox, Chrome, etc) : Chrome and Opera

  1. Be logged in; when I try these steps when logged out, the bug doesn’t occur
  2. Click Community → People
  3. Click on any hyperlinked username under either the leaderboards or curators sections
  4. The page takes 15-20 seconds to load, and then ends up with an error page and a strange string of text gets added to the URL (https://inaturalist.botanicgarden.cn:8888/people/thebeachcomber)

1 Like

The link is weird. I guess that’s the issue but I have no idea why it looks that way. There doesn’t seem to be such website as https://inaturalist.botanicgarden.cn/

Oh, I’ve just realized you already noticed that…

it sort of looks like an individual owns the domain. it looks scammy to me. seems like it might be trying to impersonate a lot of different plant-related websites, or at best, it might be trying to mirror them. either way, might not be a great thing. not sure how it would have gotten incorporated into the iNat website.

1 Like

I’m not seeing that behavior now. The links now go to regular profile pages such as https://www.inaturalist.org/people/thebeachcomber

Is it possible this is some malware that got installed in your browser @thebeachcomber? Alternatively, if it was appearing for multiple people, was this somehow added to the iNat codebase?

1 Like

it was happening for multiple people. it’s not happening for me anymore, but i’d be interested to know if something was changed in the system to fix the problem.


Hi everyone, thanks for bringing this to our attention. We’ve released a fix for the People page and are continuing to investigate this issue. So far there’s no evidence of malicious behavior or data loss.

When the investigation is complete, we’ll make a more detailed post.


Hi everyone, thanks for bringing this to our attention. There are a couple of related problems here, but long story short, we’ve addressed them and you should only be seeing the URLs you expect on the people page now.

For those who want a longer explanation, the people who run botanicgarden.cn were running a proxy for iNaturalist. This means they set up their own server at their own URL that forwarded traffic to iNaturalist. The people page is heavily cached and some of the ways we generate URLs on that page relied on the URL the viewer was using, so when a viewer of inaturalist.botanicbarden.cn went to the people page, we cached the inaturalist.botanicbarden.cn URL for everyone, and that’s how some of you started seeing those URLs.

To be clear, we have no reason to believe the people at botanicgarden.cn were doing anything malicious. We have collaborated with them in the past and we have reached out to them to see if there’s a better way to achieve what they were trying to do. We also have no evidence that any sensitive information on iNat was compromised.

But, there was a security problem: if an outside party can manipulate URLs on iNat like that, it exposes all of us to attacks where iNat users could be tricked into leaving iNat for another site that looks like iNat and revealing sensitive info like passwords to an attacker. That was not happening in this case, but it revealed this vulnerability.

To that end,

  1. We have added additional safeguards to prevent this kind of proxy behavior.
  2. We have audited the way we generate URLs across the site and removed the mechanism that resulted in this problem.

Again, no iNat data was compromised to our knowledge, and we have fixed the problems this incident revealed. Thank you all for reporting this.


ok. that makes sense. thanks for the explanation and for mitigating the vulnerabilities quickly. i suppose the thread can be closed at this point, right?

1 Like

This topic was automatically closed after 16 hours. New replies are no longer allowed.