root Posted May 15, 2016 Share Posted May 15, 2016 Genuinely curious :-) Link to comment Share on other sites More sharing options...
Vae Posted May 15, 2016 Share Posted May 15, 2016 I don't use FA, so I wouldn't care. Link to comment Share on other sites More sharing options...
PastryOfApathy Posted May 15, 2016 Share Posted May 15, 2016 It depends if I could make anything funny come out of it. 1 Link to comment Share on other sites More sharing options...
Clove Darkwave Posted May 15, 2016 Share Posted May 15, 2016 Tell the administration so they can fix it, so that artists like my spouse don't get fucked over for the sake of a laugh. Mod-Hat on: Naturally guys please don't post any actual exploits or intent to exploit or otherwise attack a website, etc. etc. 2 Link to comment Share on other sites More sharing options...
Strongbob Posted May 15, 2016 Share Posted May 15, 2016 I would chuckle and then consider how I could use the exploit to be a jackass. Then I'd sit back and wonder how much of my life I'd wasted searching for such things. Then I'd have an existential crisis considering my place in the universe and why I was squandering the little time I had on this earth on such petty trivialities. Then I'd reevaluate my life and pledge to find new friends, a new job, some romance, eat better, exercise more, get some new hobbies, volunteer in my community, and live happily ever after. The end. 1 Link to comment Share on other sites More sharing options...
Sarcastic Coffeecup Posted May 15, 2016 Share Posted May 15, 2016 Probably nothing as I'm not a complete asshole Link to comment Share on other sites More sharing options...
root Posted May 15, 2016 Author Share Posted May 15, 2016 2 hours ago, Clove Darkwave said: Tell the administration so they can fix it, so that artists like my spouse don't get fucked over for the sake of a laugh. I thought the administration ignored stuff like that. You remember Eevee don't you? Link to comment Share on other sites More sharing options...
Clove Darkwave Posted May 15, 2016 Share Posted May 15, 2016 3 hours ago, root said: I thought the administration ignored stuff like that. You remember Eevee don't you? I sure do, but it doesn't change that the responsible option is available. Not my problem after that. Hopefully. Link to comment Share on other sites More sharing options...
Saxon Posted May 15, 2016 Share Posted May 15, 2016 What is an exploit? Link to comment Share on other sites More sharing options...
Augmented Husky Posted May 15, 2016 Share Posted May 15, 2016 Replace the front page section of recent art submissions with one huge line of text in Impact font saying "STOP DOING THAT FURFAGS" And then proceed to eat popcorn as chaos ensues Link to comment Share on other sites More sharing options...
root Posted May 15, 2016 Author Share Posted May 15, 2016 3 hours ago, Saxon said: What is an exploit? "An exploit (from the English verb to exploit, meaning "using something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack." Link to comment Share on other sites More sharing options...
Guest Posted May 15, 2016 Share Posted May 15, 2016 I'd report it. I and many other artists rely on FA for commissions, which we in turn rely on to feed ourselves. Link to comment Share on other sites More sharing options...
TrishaCat Posted May 15, 2016 Share Posted May 15, 2016 I would report it to Dragoneer and move on. Link to comment Share on other sites More sharing options...
willow Posted May 15, 2016 Share Posted May 15, 2016 Report it and hope they fix it, because while I don't really like FA and am extremely petty, I find it immature to take advantage of stuff like that just because you don't like the site or the people Link to comment Share on other sites More sharing options...
Endless/Nameless Posted May 15, 2016 Share Posted May 15, 2016 iash out and cease it's existence 7 Link to comment Share on other sites More sharing options...
ArielMT Posted May 16, 2016 Share Posted May 16, 2016 I would probably have done what eevee did, had I not seen for myself how FA staff thanked him for it: Try the "Responsible Disclosure" route and report the vulnerability privately to FA staff, with complete descriptions of why it's an exploit and how it can be exploited. After it goes basically unacknowledged for a few weeks to months, try to follow up. After it goes ignored for many, many months, concluding Responsible Disclosure to be an utter failure, try to get their attention by starting the "Full Disclosure" route, by posting it publicly, but without any details at all of how to exploit it. Demonstrate the exploit in the most obvious yet trivially reversible manner possible. Gawk in sheer disbelief as they struggle to reverse the impact and inflict actual damage to the site in their attempts. Post a journal about why the demonstration was trivial and how it should've been reversed without damage, and again asking FA staff to fix it and offering to re-send the details to them privately. Get banned permanently as a hacker who caused the aforementioned damage to the site and obviously just wants to watch FA tip over and not help. No, my memory may be a bit fuzzy, but I'm not joking. What I'd do now, knowing that history, is either "Full Disclosure" or "No Disclosure," in both cases just watching with popcorn as it's exploited until FA admins get exhausted from banning everyone exploiting it and finally move Yak to fix it. (Since I'm lazy, it will probably be No Disclosure to FA, but it will never be Responsible Disclosure to FA.) ----- Responsible Disclosure: Only the benevolent discoverer and vendor know; customers never know. Unless other, malicious actors discover it on their own as well. This can work, but only when vendors act responsibly as well. Full Disclosure: Everyone knows. Vendors can fix, and customers are not left uninformed in their decisions if vendors won't or for some weird reason can't. No Disclosure: No one knows, except benevolent actors who stay silent as the dead about their discoveries and malicious actors who exploit and/or sell their independently-obtained discoveries at will. Vendors and customers alike are both screwed. 4 Link to comment Share on other sites More sharing options...
LazerMaster5 Posted May 16, 2016 Share Posted May 16, 2016 Considering how ineffective FA staff can be, there would be no point in reporting it. I could, however, use this exploit to troll lowlifes and make FA great again. Link to comment Share on other sites More sharing options...
Spot Posted May 16, 2016 Share Posted May 16, 2016 Probably nothing, unless I have something to gain from it. Even then, my conscience would probably get the better of me. Link to comment Share on other sites More sharing options...
AyGee Posted May 17, 2016 Share Posted May 17, 2016 On 5/16/2016 at 1:44 AM, ArielMT said: I would probably have done what eevee did, had I not seen for myself how FA staff thanked him for it: Try the "Responsible Disclosure" route and report the vulnerability privately to FA staff, with complete descriptions of why it's an exploit and how it can be exploited. After it goes basically unacknowledged for a few weeks to months, try to follow up. After it goes ignored for many, many months, concluding Responsible Disclosure to be an utter failure, try to get their attention by starting the "Full Disclosure" route, by posting it publicly, but without any details at all of how to exploit it. Demonstrate the exploit in the most obvious yet trivially reversible manner possible. Gawk in sheer disbelief as they struggle to reverse the impact and inflict actual damage to the site in their attempts. Post a journal about why the demonstration was trivial and how it should've been reversed without damage, and again asking FA staff to fix it and offering to re-send the details to them privately. Get banned permanently as a hacker who caused the aforementioned damage to the site and obviously just wants to watch FA tip over and not help. ^ This exactly. If you didn't beat me to it, I would have posted something to the same effect. Though, in my case, I'd more likely remain silent on the issue unless it affected me directly, just knowing that reporting it would probably get me banned for hurting someone's fwagile wittle ego by insinuating that the site might not be perfect. Link to comment Share on other sites More sharing options...
Calemeyr Posted May 17, 2016 Share Posted May 17, 2016 if it were serious enough, I'd use it to have the site lose a good percentage of submissions on their servers and backups. Because fuck FA. Fandom would be a (slightly) better place without it. Unfortunately, I'm not a programmer, so FA lives on... Link to comment Share on other sites More sharing options...
AyGee Posted May 17, 2016 Share Posted May 17, 2016 Oh look, FA's down as of this post. I wonder... :V Link to comment Share on other sites More sharing options...
GreenReaper Posted May 17, 2016 Share Posted May 17, 2016 Interesting timing for this thread. Users reported their accounts and submissions went missing prior to the downtime. Link to comment Share on other sites More sharing options...
Sidewalk Surfboard Posted May 17, 2016 Share Posted May 17, 2016 I'd probably put a big "DRAGONEER FUCKS DOGS" line of text on the front page, but generally do nothing else Link to comment Share on other sites More sharing options...
willow Posted May 17, 2016 Share Posted May 17, 2016 23 minutes ago, GreenReaper said: Interesting timing for this thread. Users reported their accounts and submissions went missing prior to the downtime. Interesting yes, but for all you know it could have been someone on FA or some other site Link to comment Share on other sites More sharing options...
Calemeyr Posted May 17, 2016 Share Posted May 17, 2016 I am Jesus. Nah just a coincidence. I don't know how to code outside of Matlab and even then I suck at parallelizing my code. I work with semiconductors. Still, you would think FA would take exploits seriously and try to correct them, not do what they've done before. Or who knows, maybe it was unintentionally self-inflicted by bad coding. Link to comment Share on other sites More sharing options...
Vae Posted May 17, 2016 Share Posted May 17, 2016 12 minutes ago, Calemeyr said: Still, you would think FA would take exploits seriously and try to correct them, not do what they've done before. (I was originally going to make an actual comment, but I think this is adequate.) Link to comment Share on other sites More sharing options...
PheagleAdler Posted May 17, 2016 Share Posted May 17, 2016 I would report it because there's people on the site I care about, not be an asshole and exploit it, hurting innocent users in the process. 1 Link to comment Share on other sites More sharing options...
Wax Posted May 17, 2016 Share Posted May 17, 2016 7 minutes ago, PheagleAdler said: I would report it because there's people on the site I care about, not be an asshole and exploit it, hurting innocent users in the process. I think the stern-ass looking eagle in your sig really emphasises the point you make Link to comment Share on other sites More sharing options...
Guest Posted May 17, 2016 Share Posted May 17, 2016 Speaking of the downtime, I see they're being transparent as usual... https://forums.furaffinity.net/threads/05-17-2016.1530505/ Link to comment Share on other sites More sharing options...
SirRob Posted May 17, 2016 Share Posted May 17, 2016 1 hour ago, Amiir said: Speaking of the downtime, I see they're being transparent as usual... https://forums.furaffinity.net/threads/05-17-2016.1530505/ Dragoneer updated it with information about the downtime. Topically, an exploit was found and the source code was distributed at a convention. The site was attacked and data was deleted. Link to comment Share on other sites More sharing options...
Endless/Nameless Posted May 17, 2016 Share Posted May 17, 2016 Seriously.... Losing an entire six days worth of data, including submissions, new accounts, and watches.... That's a pretty fucking big deal. People are gonna be pissed. The question is, were everyone's accounts affected? I wonder if I lost anything... Link to comment Share on other sites More sharing options...
Käpt'n Posted May 17, 2016 Share Posted May 17, 2016 7 minutes ago, SirRob said: Dragoneer updated it with information about the downtime. Topically, an exploit was found and the source code was distributed at a convention. The site was attacked and data was deleted. This is pretty huge. I mean, when the entire source code is out there people are gonna find all sorts of whacky exploits. And all they can do is wait for an attack to happen to then stop it later. Also, their last backup is from the 11th? I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup. But six days worth of lost data? On a site with that many daily submissions? That blows pretty badly. Anyway, I think this really shows how shacky FA really is. And many artists depend on that site to pay their bills by selling commissions there! That's just awful... Link to comment Share on other sites More sharing options...
Endless/Nameless Posted May 17, 2016 Share Posted May 17, 2016 1 minute ago, Käpt'n said: I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup. mickey mouse outfit Link to comment Share on other sites More sharing options...
Chrysocyon Posted May 17, 2016 Share Posted May 17, 2016 Jeez, I noticed FA was down earlier but I didn't expect that. I don't care much for the site any more, but I still cross post to it for a larger audience. It really is more trouble than it's worth. Link to comment Share on other sites More sharing options...
SirRob Posted May 17, 2016 Share Posted May 17, 2016 5 minutes ago, Käpt'n said: This is pretty huge. I mean, when the entire source code is out there people are gonna find all sorts of whacky exploits. And all they can do is wait for an attack to happen to then stop it later. Also, their last backup is from the 11th? I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup. But six days worth of lost data? On a site with that many daily submissions? That blows pretty badly. Anyway, I think this really shows how shacky FA really is. And many artists depend on that site to pay their bills by selling commissions there! That's just awful... Considering how presumably the site had to be sold to IMVU to stay afloat, I'm not particularly surprised that there's some penny pinching going on. Which is understandable, considering it's a massive free site with no premium subscription features or donation incentives or anything like that. Link to comment Share on other sites More sharing options...
ArielMT Posted May 17, 2016 Share Posted May 17, 2016 Was anyone giving away USB drives at BLFC? https://forums.furaffinity.net/threads/5-17-site-attack.1530523/ Apparently, someone broke in to FA through the ImageTragick vulnerability, stole the source code, and distributed it on USB drives. Then someone, probably someone else, found a separate vulnerability and used it to do stuff to the database. Link to comment Share on other sites More sharing options...
Endless/Nameless Posted May 17, 2016 Share Posted May 17, 2016 7 minutes ago, SirRob said: I'm not particularly surprised that there's some penny pinching going on. (this was sarcasm, but still) Link to comment Share on other sites More sharing options...
root Posted May 17, 2016 Author Share Posted May 17, 2016 Haven't read all of the comments yet, but I just want to state I was absolutely NOT involved in the recent attack. (I admit it's a funny coincidence though) If I had FA's source code, I'd probably just nitpick through it instead of doing something like this. I did find a tiny exploit on my own which probably could be used to DDoS the site if someone were clever enough, but I sat on it because I wasn't sure if I wanted to risk being banned/possibly reported. I do not condone the recent attack and I would never risk doing something this bad. Link to comment Share on other sites More sharing options...
Crazy Lee Posted May 17, 2016 Share Posted May 17, 2016 7 minutes ago, ArielMT said: Was anyone giving away USB drives at BLFC? https://forums.furaffinity.net/threads/5-17-site-attack.1530523/ Apparently, someone broke in to FA through the ImageTragick vulnerability, stole the source code, and distributed it on USB drives. Then someone, probably someone else, found a separate vulnerability and used it to do stuff to the database. Read somewhere that someone saw those drives at BLFC, so likely yes. Link to comment Share on other sites More sharing options...
GreenReaper Posted May 18, 2016 Share Posted May 18, 2016 1 hour ago, Crazy Lee said: Read somewhere that someone saw those drives at BLFC, so likely yes. Several were handed into lost and found. Link to comment Share on other sites More sharing options...
GreenReaper Posted May 18, 2016 Share Posted May 18, 2016 Check the timestamps. At the time, there was no particular reason to believe otherwise. I only saw that tweet half an hour ago. Moreover, root does claim to have an exploit, albeit apparently not the one used to cause this. Link to comment Share on other sites More sharing options...
Endless/Nameless Posted May 18, 2016 Share Posted May 18, 2016 3 minutes ago, 6tails said: The exploit used against FA is widely-known. ImageMagick is a piece of shit project used for handling serving up images, used in like 95% of PHP-based forums. They didn't patch against an exploit that was publicly disclosed WEEKS ago. From 'Neer: "...obtained a copy of Fur Affinity's source code via the recent “ImageTragick” exploit in the ImageMagick library (a common server-side image processing software). This exploit was patched earlier in this month, but not before a malicious user was able to download a copy of our source code..." Not sticking up for 'Neer; just stating the [supposed] facts Link to comment Share on other sites More sharing options...
GreenReaper Posted May 18, 2016 Share Posted May 18, 2016 Could even have been used before then. All we can really say at this point is that it wasn't soon enough. In any case, I've updated the story on Flayrah to account for new information. 1 Link to comment Share on other sites More sharing options...
Endless/Nameless Posted May 18, 2016 Share Posted May 18, 2016 6 minutes ago, 6tails said: Couldn't have been in any timely fashion, considering it was like one of the biggest fucking security newspieces when it broke. ^mfw 1 Link to comment Share on other sites More sharing options...
Crazy Lee Posted May 18, 2016 Share Posted May 18, 2016 8 minutes ago, 6tails said: Couldn't have been in any timely fashion, considering it was like one of the biggest fucking security newspieces when it broke. You act as if FA actually cares about patching security holes in a timely manner. Link to comment Share on other sites More sharing options...
Toshabi Posted May 18, 2016 Share Posted May 18, 2016 I was gonna upload some pretty pictures of the con on FA, but alas, some dick hole exploited a bug that Dragoneer was too lazy to fix. 1 Link to comment Share on other sites More sharing options...
Clove Darkwave Posted May 18, 2016 Share Posted May 18, 2016 8 minutes ago, Toshabi said: I was gonna upload some pretty pictures of the con on FA, but alas, some dick hole exploited a bug that Dragoneer was too lazy to fix. Totally want to see them when you do get them up somewhere. Link to comment Share on other sites More sharing options...
root Posted May 18, 2016 Author Share Posted May 18, 2016 1 hour ago, GreenReaper said: In any case, I've updated the story on Flayrah to account for new information. Thanks. I'm willing to cooperate and tell Yak or one of the tech team the unrelated, simple, moderately important exploit I found if they're interested. I'm just not sure how to go about it yet. Link to comment Share on other sites More sharing options...
ArielMT Posted May 18, 2016 Share Posted May 18, 2016 Hey, folks. So the leaked code is floating out there, and the timing of this thread probably couldn't have been worse. So with that in mind, let's not be a platform for sharing or asking to get any ill-gotten software, OK? 1 Link to comment Share on other sites More sharing options...
AshleyAshes Posted May 18, 2016 Share Posted May 18, 2016 Does anyone else think that using USB keys to distribute the source code at a furry con is really weird? It's really not an efficient method of distribution and you risk being witnesses spreading them around. Meanwhile you could dump the file on some non-name server hosted in the third world and within 24hrs there's a million copies. I'm just musing but it's not unheard of for USB keys to be packed with intrusion packages and left in office parking lots or other places where people would go 'Ooo, free USB key!' and ferry into the office or into their home PCs and connect the infected media themselves. You have to admit that FA has just started one hell of a USB key Easter egg hunt, with people making sure they stick the keys into their computers to see if it contains source code or not. But USB keys just to distribute the source code is basically a TERRIBLE means of getting the source code out there compared to other options. Link to comment Share on other sites More sharing options...
Recommended Posts