Jump to content

What would you do if you found an exploit on FA?

root

By root,
in The Den

 Share

Recommended Posts

  • Replies 174
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Endless/Nameless
Endless/Nameless

iash out and cease it's existence

ArielMT
ArielMT

I would probably have done what eevee did, had I not seen for myself how FA staff thanked him for it: Try the "Responsible Disclosure" route and report the vulnerability privately to FA staff, w

Onnes
Onnes

The ethical way to handle an exploit is to report it and give the affected party a reasonable period of time in which you agree not to publicly disclose the exploit. This gives them time to actually f

Posted Images

Strongbob Newbie

Strongbob

Posted
Posted

I would chuckle and then consider how I could use the exploit to be a jackass. Then I'd sit back and wonder how much of my life I'd wasted searching for such things.  Then I'd have an existential crisis considering my place in the universe and why I was squandering the little time I had on this earth on such petty trivialities.  Then I'd reevaluate my life and pledge to find new friends, a new job, some romance, eat better, exercise more, get some new hobbies, volunteer in my community, and live happily ever after.  The end.  

  • Like 1
Link to comment
Share on other sites
root Newbie

root

Posted
  • Author
Posted
2 hours ago, Clove Darkwave said:

Tell the administration so they can fix it, so that artists like my spouse don't get fucked over for the sake of a laugh.

I thought the administration ignored stuff like that. You remember Eevee don't you?

Link to comment
Share on other sites
root Newbie

root

Posted
  • Author
Posted
3 hours ago, Saxon said:

What is an exploit?

"An exploit (from the English verb to exploit, meaning "using something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack."

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

I'd report it. I and many other artists rely on FA for commissions, which we in turn rely on to feed ourselves. 

Link to comment
Share on other sites
ArielMT Apprentice

ArielMT

Posted
Posted

I would probably have done what eevee did, had I not seen for myself how FA staff thanked him for it:

  1. Try the "Responsible Disclosure" route and report the vulnerability privately to FA staff, with complete descriptions of why it's an exploit and how it can be exploited.
  2. After it goes basically unacknowledged for a few weeks to months, try to follow up.
  3. After it goes ignored for many, many months, concluding Responsible Disclosure to be an utter failure, try to get their attention by starting the "Full Disclosure" route, by posting it publicly, but without any details at all of how to exploit it.
  4. Demonstrate the exploit in the most obvious yet trivially reversible manner possible.
  5. Gawk in sheer disbelief as they struggle to reverse the impact and inflict actual damage to the site in their attempts.
  6. Post a journal about why the demonstration was trivial and how it should've been reversed without damage, and again asking FA staff to fix it and offering to re-send the details to them privately.
  7. Get banned permanently as a hacker who caused the aforementioned damage to the site and obviously just wants to watch FA tip over and not help.

No, my memory may be a bit fuzzy, but I'm not joking.

What I'd do now, knowing that history, is either "Full Disclosure" or "No Disclosure," in both cases just watching with popcorn as it's exploited until FA admins get exhausted from banning everyone exploiting it and finally move Yak to fix it.  (Since I'm lazy, it will probably be No Disclosure to FA, but it will never be Responsible Disclosure to FA.)

-----

Responsible Disclosure: Only the benevolent discoverer and vendor know; customers never know.  Unless other, malicious actors discover it on their own as well.  This can work, but only when vendors act responsibly as well.

Full Disclosure: Everyone knows.  Vendors can fix, and customers are not left uninformed in their decisions if vendors won't or for some weird reason can't.

No Disclosure: No one knows, except benevolent actors who stay silent as the dead about their discoveries and malicious actors who exploit and/or sell their independently-obtained discoveries at will.  Vendors and customers alike are both screwed.

  • Like 4
Link to comment
Share on other sites
AyGee Newbie

AyGee

Posted
Posted
On 5/16/2016 at 1:44 AM, ArielMT said:

I would probably have done what eevee did, had I not seen for myself how FA staff thanked him for it:

  1. Try the "Responsible Disclosure" route and report the vulnerability privately to FA staff, with complete descriptions of why it's an exploit and how it can be exploited.
  2. After it goes basically unacknowledged for a few weeks to months, try to follow up.
  3. After it goes ignored for many, many months, concluding Responsible Disclosure to be an utter failure, try to get their attention by starting the "Full Disclosure" route, by posting it publicly, but without any details at all of how to exploit it.
  4. Demonstrate the exploit in the most obvious yet trivially reversible manner possible.
  5. Gawk in sheer disbelief as they struggle to reverse the impact and inflict actual damage to the site in their attempts.
  6. Post a journal about why the demonstration was trivial and how it should've been reversed without damage, and again asking FA staff to fix it and offering to re-send the details to them privately.
  7. Get banned permanently as a hacker who caused the aforementioned damage to the site and obviously just wants to watch FA tip over and not help.

^ This exactly.  If you didn't beat me to it, I would have posted something to the same effect.

Though, in my case, I'd more likely remain silent on the issue unless it affected me directly, just knowing that reporting it would probably get me banned for hurting someone's fwagile wittle ego by insinuating that the site might not be perfect. :P

Link to comment
Share on other sites
Calemeyr Newbie

Calemeyr

Posted
Posted

I am Jesus. Nah just a coincidence. I don't know how to code outside of Matlab and even then I suck at parallelizing my code.

I work with semiconductors. Still, you would think FA would take exploits seriously and try to correct them, not do what they've done before. Or who knows, maybe it was unintentionally self-inflicted by bad coding.

Link to comment
Share on other sites
Vae Newbie

Vae

Posted
Posted
12 minutes ago, Calemeyr said:

Still, you would think FA would take exploits seriously and try to correct them, not do what they've done before.

54fff.gif

(I was originally going to make an actual comment,
but I think this is adequate.)

Link to comment
Share on other sites
Wax Newbie

Wax

Posted
Posted
7 minutes ago, PheagleAdler said:

I would report it because there's people on the site I care about, not be an asshole and exploit it, hurting innocent users in the process.

I think the stern-ass looking eagle in your sig really emphasises the point you make xD

Link to comment
Share on other sites
SirRob Newbie

SirRob

Posted
Posted
1 hour ago, Amiir said:

Speaking of the downtime, I see they're being transparent as usual...

https://forums.furaffinity.net/threads/05-17-2016.1530505/

Dragoneer updated it with information about the downtime. Topically, an exploit was found and the source code was distributed at a convention. The site was attacked and data was deleted.

Link to comment
Share on other sites
Endless/Nameless Newbie

Endless/Nameless

Posted
Posted

Seriously....

Losing an entire six days worth of data, including submissions, new accounts, and watches....

That's a pretty fucking big deal. People are gonna be pissed.

The question is, were everyone's accounts affected? I wonder if I lost anything...

Link to comment
Share on other sites
Käpt'n Newbie

Käpt'n

Posted
Posted
7 minutes ago, SirRob said:

Dragoneer updated it with information about the downtime. Topically, an exploit was found and the source code was distributed at a convention. The site was attacked and data was deleted.

This is pretty huge. I mean, when the entire source code is out there people are gonna find all sorts of whacky exploits. And all they can do is wait for an attack to happen to then stop it later.

Also, their last backup is from the 11th? I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup. But six days worth of lost data? On a site with that many daily submissions? That blows pretty badly.

Anyway, I think this really shows how shacky FA really is. And many artists depend on that site to pay their bills by selling commissions there! That's just awful...

Link to comment
Share on other sites
SirRob Newbie

SirRob

Posted
Posted
5 minutes ago, Käpt'n said:

This is pretty huge. I mean, when the entire source code is out there people are gonna find all sorts of whacky exploits. And all they can do is wait for an attack to happen to then stop it later.

Also, their last backup is from the 11th? I expected a site with a big focus on community where people sell their work to have more regular backups, or maybe even a live backup. But six days worth of lost data? On a site with that many daily submissions? That blows pretty badly.

Anyway, I think this really shows how shacky FA really is. And many artists depend on that site to pay their bills by selling commissions there! That's just awful...

Considering how presumably the site had to be sold to IMVU to stay afloat, I'm not particularly surprised that there's some penny pinching going on. Which is understandable, considering it's a massive free site with no premium subscription features or donation incentives or anything like that.

Link to comment
Share on other sites
ArielMT Apprentice

ArielMT

Posted
Posted

Was anyone giving away USB drives at BLFC?

https://forums.furaffinity.net/threads/5-17-site-attack.1530523/

Apparently, someone broke in to FA through the ImageTragick vulnerability, stole the source code, and distributed it on USB drives.  Then someone, probably someone else, found a separate vulnerability and used it to do stuff to the database.

Link to comment
Share on other sites
root Newbie

root

Posted
  • Author
Posted

Haven't read all of the comments yet, but I just want to state I was absolutely NOT involved in the recent attack. (I admit it's a funny coincidence though)

If I had FA's source code, I'd probably just nitpick through it instead of doing something like this. I did find a tiny exploit on my own which probably could be used to DDoS the site if someone were clever enough, but I sat on it because I wasn't sure if I wanted to risk being banned/possibly reported. I do not condone the recent attack and I would never risk doing something this bad.

Link to comment
Share on other sites
Crazy Lee Newbie

Crazy Lee

Posted
Posted
7 minutes ago, ArielMT said:

Was anyone giving away USB drives at BLFC?

https://forums.furaffinity.net/threads/5-17-site-attack.1530523/

Apparently, someone broke in to FA through the ImageTragick vulnerability, stole the source code, and distributed it on USB drives.  Then someone, probably someone else, found a separate vulnerability and used it to do stuff to the database.

Read somewhere that someone saw those drives at BLFC, so likely yes.

Link to comment
Share on other sites
Endless/Nameless Newbie

Endless/Nameless

Posted
Posted
3 minutes ago, 6tails said:

The exploit used against FA is widely-known. ImageMagick is a piece of shit project used for handling serving up images, used in like 95% of PHP-based forums.

They didn't patch against an exploit that was publicly disclosed WEEKS ago.

From 'Neer: "...obtained a copy of Fur Affinity's source code via the recent “ImageTragick” exploit in the ImageMagick library (a common server-side image processing software). This exploit was patched earlier in this month, but not before a malicious user was able to download a copy of our source code..."

Not sticking up for 'Neer; just stating the [supposed] facts

Link to comment
Share on other sites
ArielMT Apprentice

ArielMT

Posted
Posted

Hey, folks. So the leaked code is floating out there, and the timing of this thread probably couldn't have been worse. So with that in mind, let's not be a platform for sharing or asking to get any ill-gotten software, OK?

  • Like 1
Link to comment
Share on other sites
AshleyAshes Newbie

AshleyAshes

Posted
Posted

Does anyone else think that using USB keys to distribute the source code at a furry con is really weird?  It's really not an efficient method of distribution and you risk being witnesses spreading them around.  Meanwhile you could dump the file on some non-name server hosted in the third world and within 24hrs there's a million copies.

I'm just musing but it's not unheard of for USB keys to be packed with intrusion packages and left in office parking lots or other places where people would go 'Ooo, free USB key!' and ferry into the office or into their home PCs and connect the infected media themselves.  You have to admit that FA has just started one hell of a USB key Easter egg hunt, with people making sure they stick the keys into their computers to see if it contains source code or not.

But USB keys just to distribute the source code is basically a TERRIBLE means of getting the source code out there compared to other options.

 

 

Link to comment
Share on other sites
  • Guest locked this topic
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...