Jump to content
root

What would you do if you found an exploit on FA?

Recommended Posts

Tell the administration so they can fix it, so that artists like my spouse don't get fucked over for the sake of a laugh.

Mod-Hat on:

Naturally guys please don't post any actual exploits or intent to exploit or otherwise attack a website, etc. etc.

  • Like 2

Share this post


Link to post
Share on other sites

I would chuckle and then consider how I could use the exploit to be a jackass. Then I'd sit back and wonder how much of my life I'd wasted searching for such things.  Then I'd have an existential crisis considering my place in the universe and why I was squandering the little time I had on this earth on such petty trivialities.  Then I'd reevaluate my life and pledge to find new friends, a new job, some romance, eat better, exercise more, get some new hobbies, volunteer in my community, and live happily ever after.  The end.  

  • Like 1

Share this post


Link to post
Share on other sites
2 hours ago, Clove Darkwave said:

Tell the administration so they can fix it, so that artists like my spouse don't get fucked over for the sake of a laugh.

I thought the administration ignored stuff like that. You remember Eevee don't you?

Share this post


Link to post
Share on other sites
3 hours ago, root said:

I thought the administration ignored stuff like that. You remember Eevee don't you?

I sure do, but it doesn't change that the responsible option is available. Not my problem after that. Hopefully.

Share this post


Link to post
Share on other sites

Replace the front page section of recent art submissions with one huge line of text in Impact font saying "STOP DOING THAT FURFAGS"

And then proceed to eat popcorn as chaos ensues xD

Share this post


Link to post
Share on other sites
3 hours ago, Saxon said:

What is an exploit?

"An exploit (from the English verb to exploit, meaning "using something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack."

Share this post


Link to post
Share on other sites
Guest

I'd report it. I and many other artists rely on FA for commissions, which we in turn rely on to feed ourselves. 

Share this post


Link to post
Share on other sites

Report it and hope they fix it, because while I don't really like FA and am extremely petty, I find it immature to take advantage of stuff like that just because you don't like the site or the people

Share this post


Link to post
Share on other sites

I would probably have done what eevee did, had I not seen for myself how FA staff thanked him for it:

  1. Try the "Responsible Disclosure" route and report the vulnerability privately to FA staff, with complete descriptions of why it's an exploit and how it can be exploited.
  2. After it goes basically unacknowledged for a few weeks to months, try to follow up.
  3. After it goes ignored for many, many months, concluding Responsible Disclosure to be an utter failure, try to get their attention by starting the "Full Disclosure" route, by posting it publicly, but without any details at all of how to exploit it.
  4. Demonstrate the exploit in the most obvious yet trivially reversible manner possible.
  5. Gawk in sheer disbelief as they struggle to reverse the impact and inflict actual damage to the site in their attempts.
  6. Post a journal about why the demonstration was trivial and how it should've been reversed without damage, and again asking FA staff to fix it and offering to re-send the details to them privately.
  7. Get banned permanently as a hacker who caused the aforementioned damage to the site and obviously just wants to watch FA tip over and not help.

No, my memory may be a bit fuzzy, but I'm not joking.

What I'd do now, knowing that history, is either "Full Disclosure" or "No Disclosure," in both cases just watching with popcorn as it's exploited until FA admins get exhausted from banning everyone exploiting it and finally move Yak to fix it.  (Since I'm lazy, it will probably be No Disclosure to FA, but it will never be Responsible Disclosure to FA.)

-----

Responsible Disclosure: Only the benevolent discoverer and vendor know; customers never know.  Unless other, malicious actors discover it on their own as well.  This can work, but only when vendors act responsibly as well.

Full Disclosure: Everyone knows.  Vendors can fix, and customers are not left uninformed in their decisions if vendors won't or for some weird reason can't.

No Disclosure: No one knows, except benevolent actors who stay silent as the dead about their discoveries and malicious actors who exploit and/or sell their independently-obtained discoveries at will.  Vendors and customers alike are both screwed.

  • Like 4

Share this post


Link to post
Share on other sites

Considering how ineffective FA staff can be, there would be no point in reporting it. I could, however, use this exploit to troll lowlifes and make FA great again.

Share this post


Link to post
Share on other sites

Probably nothing, unless I have something to gain from it. Even then, my conscience would probably get the better of me.

Share this post


Link to post
Share on other sites
On 5/16/2016 at 1:44 AM, ArielMT said:

I would probably have done what eevee did, had I not seen for myself how FA staff thanked him for it:

  1. Try the "Responsible Disclosure" route and report the vulnerability privately to FA staff, with complete descriptions of why it's an exploit and how it can be exploited.
  2. After it goes basically unacknowledged for a few weeks to months, try to follow up.
  3. After it goes ignored for many, many months, concluding Responsible Disclosure to be an utter failure, try to get their attention by starting the "Full Disclosure" route, by posting it publicly, but without any details at all of how to exploit it.
  4. Demonstrate the exploit in the most obvious yet trivially reversible manner possible.
  5. Gawk in sheer disbelief as they struggle to reverse the impact and inflict actual damage to the site in their attempts.
  6. Post a journal about why the demonstration was trivial and how it should've been reversed without damage, and again asking FA staff to fix it and offering to re-send the details to them privately.
  7. Get banned permanently as a hacker who caused the aforementioned damage to the site and obviously just wants to watch FA tip over and not help.

^ This exactly.  If you didn't beat me to it, I would have posted something to the same effect.

Though, in my case, I'd more likely remain silent on the issue unless it affected me directly, just knowing that reporting it would probably get me banned for hurting someone's fwagile wittle ego by insinuating that the site might not be perfect. :P

Share this post


Link to post
Share on other sites

if it were serious enough, I'd use it to have the site lose a good percentage of submissions on their servers and backups.

Because fuck FA. Fandom would be a (slightly) better place without it.

Unfortunately, I'm not a programmer, so FA lives on...

Share this post


Link to post
Share on other sites

I am Jesus. Nah just a coincidence. I don't know how to code outside of Matlab and even then I suck at parallelizing my code.

I work with semiconductors. Still, you would think FA would take exploits seriously and try to correct them, not do what they've done before. Or who knows, maybe it was unintentionally self-inflicted by bad coding.

Share this post


Link to post
Share on other sites
12 minutes ago, Calemeyr said:

Still, you would think FA would take exploits seriously and try to correct them, not do what they've done before.

54fff.gif

(I was originally going to make an actual comment,
but I think this is adequate.)

Share this post


Link to post
Share on other sites
7 minutes ago, PheagleAdler said:

I would report it because there's people on the site I care about, not be an asshole and exploit it, hurting innocent users in the process.

I think the stern-ass looking eagle in your sig really emphasises the point you make xD

Share this post


Link to post
Share on other sites
1 hour ago, Amiir said:

Speaking of the downtime, I see they're being transparent as usual...

https://forums.furaffinity.net/threads/05-17-2016.1530505/

Dragoneer updated it with information about the downtime. Topically, an exploit was found and the source code was distributed at a convention. The site was attacked and data was deleted.

  • Like 1

Share this post


Link to post
Share on other sites

Seriously....

Losing an entire six days worth of data, including submissions, new accounts, and watches....

That's a pretty fucking big deal. People are gonna be pissed.

The question is, were everyone's accounts affected? I wonder if I lost anything...

Share this post


Link to post
Share on other sites
7 minutes ago, SirRob said:

Dragoneer updated it with information about the downtime. Topically, an exploit was found and the source code was distributed at a convention. The site was attacked and data was deleted.

This is pretty huge. I mean, when the entire source code is out there people are gonna find all sorts of whacky exploits. And all they can do is wait for an attack to happen to then stop it later.

Also, their last backup is from the 11th? I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup. But six days worth of lost data? On a site with that many daily submissions? That blows pretty badly.

Anyway, I think this really shows how shacky FA really is. And many artists depend on that site to pay their bills by selling commissions there! That's just awful...

  • Like 1

Share this post


Link to post
Share on other sites
1 minute ago, Käpt'n said:

I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup.

mickey mouse outfit

Share this post


Link to post
Share on other sites

Jeez, I noticed FA was down earlier but I didn't expect that.  I don't care much for the site any more, but I still cross post to it for a larger audience.  It really is more trouble than it's worth.

Share this post


Link to post
Share on other sites
5 minutes ago, Käpt'n said:

This is pretty huge. I mean, when the entire source code is out there people are gonna find all sorts of whacky exploits. And all they can do is wait for an attack to happen to then stop it later.

Also, their last backup is from the 11th? I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup. But six days worth of lost data? On a site with that many daily submissions? That blows pretty badly.

Anyway, I think this really shows how shacky FA really is. And many artists depend on that site to pay their bills by selling commissions there! That's just awful...

Considering how presumably the site had to be sold to IMVU to stay afloat, I'm not particularly surprised that there's some penny pinching going on. Which is understandable, considering it's a massive free site with no premium subscription features or donation incentives or anything like that.

Share this post


Link to post
Share on other sites

Was anyone giving away USB drives at BLFC?

https://forums.furaffinity.net/threads/5-17-site-attack.1530523/

Apparently, someone broke in to FA through the ImageTragick vulnerability, stole the source code, and distributed it on USB drives.  Then someone, probably someone else, found a separate vulnerability and used it to do stuff to the database.

Share this post


Link to post
Share on other sites
7 minutes ago, SirRob said:

I'm not particularly surprised that there's some penny pinching going on.

image.thumb.jpeg.b00a8fd10986c680de60ad6402d4a983.jpeg

(this was sarcasm, but still)

Share this post


Link to post
Share on other sites

Haven't read all of the comments yet, but I just want to state I was absolutely NOT involved in the recent attack. (I admit it's a funny coincidence though)

If I had FA's source code, I'd probably just nitpick through it instead of doing something like this. I did find a tiny exploit on my own which probably could be used to DDoS the site if someone were clever enough, but I sat on it because I wasn't sure if I wanted to risk being banned/possibly reported. I do not condone the recent attack and I would never risk doing something this bad.

Share this post


Link to post
Share on other sites
7 minutes ago, ArielMT said:

Was anyone giving away USB drives at BLFC?

https://forums.furaffinity.net/threads/5-17-site-attack.1530523/

Apparently, someone broke in to FA through the ImageTragick vulnerability, stole the source code, and distributed it on USB drives.  Then someone, probably someone else, found a separate vulnerability and used it to do stuff to the database.

Read somewhere that someone saw those drives at BLFC, so likely yes.

Share this post


Link to post
Share on other sites
3 minutes ago, 6tails said:

The exploit used against FA is widely-known. ImageMagick is a piece of shit project used for handling serving up images, used in like 95% of PHP-based forums.

They didn't patch against an exploit that was publicly disclosed WEEKS ago.

From 'Neer: "...obtained a copy of Fur Affinity's source code via the recent “ImageTragick” exploit in the ImageMagick library (a common server-side image processing software). This exploit was patched earlier in this month, but not before a malicious user was able to download a copy of our source code..."

Not sticking up for 'Neer; just stating the [supposed] facts

Share this post


Link to post
Share on other sites
6 minutes ago, 6tails said:

Couldn't have been in any timely fashion, considering it was like one of the biggest fucking security newspieces when it broke.

 

IMG_0200.jpg

^mfw

  • Like 1

Share this post


Link to post
Share on other sites
8 minutes ago, 6tails said:

Couldn't have been in any timely fashion, considering it was like one of the biggest fucking security newspieces when it broke.

 

You act as if FA actually cares about patching security holes in a timely manner.

Share this post


Link to post
Share on other sites

I was gonna upload some pretty pictures of the con on FA, but alas, some dick hole exploited a bug that Dragoneer was too lazy to fix. 

  • Like 1

Share this post


Link to post
Share on other sites
8 minutes ago, Toshabi said:

I was gonna upload some pretty pictures of the con on FA, but alas, some dick hole exploited a bug that Dragoneer was too lazy to fix. 

Totally want to see them when you do get them up somewhere.

Share this post


Link to post
Share on other sites
1 hour ago, GreenReaper said:

In any case, I've updated the story on Flayrah to account for new information.

Thanks. I'm willing to cooperate and tell Yak or one of the tech team the unrelated, simple, moderately important exploit I found if they're interested. I'm just not sure how to go about it yet.

Share this post


Link to post
Share on other sites

Hey, folks. So the leaked code is floating out there, and the timing of this thread probably couldn't have been worse. So with that in mind, let's not be a platform for sharing or asking to get any ill-gotten software, OK?

  • Like 1

Share this post


Link to post
Share on other sites

Does anyone else think that using USB keys to distribute the source code at a furry con is really weird?  It's really not an efficient method of distribution and you risk being witnesses spreading them around.  Meanwhile you could dump the file on some non-name server hosted in the third world and within 24hrs there's a million copies.

I'm just musing but it's not unheard of for USB keys to be packed with intrusion packages and left in office parking lots or other places where people would go 'Ooo, free USB key!' and ferry into the office or into their home PCs and connect the infected media themselves.  You have to admit that FA has just started one hell of a USB key Easter egg hunt, with people making sure they stick the keys into their computers to see if it contains source code or not.

But USB keys just to distribute the source code is basically a TERRIBLE means of getting the source code out there compared to other options.

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×