Results 1 to 8 of 8

Thread: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

  1. #1
    Ninja Charlie_Kitsune's Avatar
    Join Date
    Jul 2008
    Location
    Poland
    Species
    Kitsune
    Posts
    166
    This
    0
    This'd 0 Times in 0 Posts

    Default <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    Charlie: Topic closed due further investigation of admins.


    http://www.furaffinity.net/journal/459296/

    Everything is written here. Hacker's group had took control on YoruZutto account, as an commission from someone. As I can think of, it was directed attack, and i only say that everything is written in the journal
    Last edited by Charlie_Kitsune; 09-14-2008 at 12:03 AM.

  2. #2
    Now with leash and collar! Pirate Draken_The_Dragon's Avatar
    Join Date
    Sep 2007
    Location
    Michigan
    Species
    Dragon
    Posts
    148
    This
    0
    This'd 11 Times in 4 Posts

    Exclamation Re: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    The admins NEED to read that too. If there really is a break in the site, we're all gonna be screwed again after finally getting it back up.

    why do people hate on furrys so much when we're techincally nicer than most people?
    Lost poet and dreamer...
    Grant me wings that I might fly
    My restless soul is longing
    No pain remains, no feeling
    Eternity awaits
    Music keeps my heart going..

  3. #3
    Tail first, THEN legs.... The 5,000 Club Stratadrake's Avatar
    Join Date
    Aug 2007
    Species
    Duh
    Posts
    5,628
    This
    8
    This'd 174 Times in 124 Posts

    Default Re: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    While claims made by hackers (even commissioned, white-hat hackers) are not always something one should take seriously, security vulnerabilities on the other hand should nevertheless always be taken seriously.

    Basically, the hackers claim that FA has vulnerabilities to cetain SQL injection and remote code execution attacks. Big surprise? No. It was previously demonstrated that FA's bbCode could be used to launch XSS attacks, in all cases such attacks are made possible by not properly sanitizing/validating user supplied data, and yak has mentioned that FA uses an equivalent of magic quotes when processing form data, that must cause no end to headaches.
    Track my pawprints, if you will....
    Stratadrake @FA, @dA, @FAC, @N

  4. #4
    Ninja Charlie_Kitsune's Avatar
    Join Date
    Jul 2008
    Location
    Poland
    Species
    Kitsune
    Posts
    166
    This
    0
    This'd 0 Times in 0 Posts

    Default Re: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    Quote Originally Posted by Stratadrake View Post
    While claims made by hackers (even commissioned, white-hat hackers) are not always something one should take seriously, security vulnerabilities on the other hand should nevertheless always be taken seriously.

    Basically, the hackers claim that FA has vulnerabilities to cetain SQL injection and remote code execution attacks. Big surprise? No. It was previously demonstrated that FA's bbCode could be used to launch XSS attacks, in all cases such attacks are made possible by not properly sanitizing/validating user supplied data, and yak has mentioned that FA uses an equivalent of magic quotes when processing form data, that must cause no end to headaches.
    what about the password reminder system? it was added in the journal about it.

  5. #5
    Tail first, THEN legs.... The 5,000 Club Stratadrake's Avatar
    Join Date
    Aug 2007
    Species
    Duh
    Posts
    5,628
    This
    8
    This'd 174 Times in 124 Posts

    Default Re: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    Claiming that a flaw exists, versus a proof-of-concept that a site coder can use to identify and resolve the underlying security hole, are two different things. Of course, given that they are under no obligation to provide the latter in a public venue (such as an FA journal), I'd rather hear an analysis from somebody code-side (e.g: yak, Dragoneer, tsawolf).

    The hackers claim they had to initiate some "guesswork" to execute the exploits. That smells legit, because in order to do a successful injection attack one needs to know (or successfully guess) a few things about site or database schema.

    In the meantime, does FA perform absolutely no sanity testing on the supplied username or email address when retrieving a password?
    Last edited by Stratadrake; 09-13-2008 at 09:17 AM.
    Track my pawprints, if you will....
    Stratadrake @FA, @dA, @FAC, @N

  6. #6
    Hey Digimon! Fur Affinity Staff
    The 5,000 Club
    Dragoneer's Avatar
    Join Date
    Jul 2005
    Location
    Reston, VA
    Species
    Murasadramon
    Posts
    8,614
    This
    57
    This'd 368 Times in 108 Posts

    Default Re: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    Quote Originally Posted by Draken_The_Dragon View Post
    The admins NEED to read that too. If there really is a break in the site, we're all gonna be screwed again after finally getting it back up.

    why do people hate on furrys so much when we're techincally nicer than most people?
    Yes, I have read it. And while I do always have concerns over security, this seems to be an isolated incident. While I won't discredit the potentials, I have to feel that if one person (and only person) has been "hacked" by this manner in recent history it may be little more than a scare tactic.

    That doesn't mean I don't take it seriously. I forwarded the issue to the coders yesterday to investigate.
    Follow @furaffinity and @faunited, our official convention, on Twitter for updates and more!


  7. #7
    Ninja Charlie_Kitsune's Avatar
    Join Date
    Jul 2008
    Location
    Poland
    Species
    Kitsune
    Posts
    166
    This
    0
    This'd 0 Times in 0 Posts

    Default Re: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    Ok, so this topic need to be locked, thank you Dragoneer for quick respond :3

  8. #8
    Well, I wanna control Pop Star Lone Wolf Link Wolf's Avatar
    Join Date
    Sep 2008
    Species
    kangaroo
    Posts
    18
    This
    0
    This'd 0 Times in 0 Posts

    Default Re: <CRITICAL !!!> My friend got note from hacker about furaffinity security issues

    It seems this [Null] hacker has gotten another. I just noticed my friend Pan-Pan's account is devoid of all submissions, journals, and shouts, and the only clue left on the page is:

    "I assure you Miss pan-pan that you will have your account back once I've taken care of some unfinished business.

    [null]"

    http://www.furaffinity.net/user/pan-pan

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Is FA up?
    By Sneakers in forum Site Discussion
    Replies: 5
    Last Post: 12-16-2005, 05:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Links monetized by VigLink