AT needs https

Page 3 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
brianmanahan

brianmanahan

Lifer
Sep 2, 2006
24,628
6,013
136
vic, you didnt do the hack to illustrate a point, did you?

wait, he doesnt have a picture by his name now... :hmm:
 
Leros

Leros

Lifer
Jul 11, 2004
21,867
7
81
John Connor said:
I thought passwords in a forum were encrypted where not even a mod could see them?
Click to expand...

You're talking about the storage of passwords in the database. They should only be storing the hash of the password. To verify authentication, you hash the provided password and see if it matches the saved hash. You can't take the hash and generate the password, so you have the ability to verify passwords, but not the ability to view passwords.

This is a different issues. It's about encrypting traffic between the browser and the server. This is the most important during login when you're sending your plaintext password to the server. If you login over HTTP, your password is being sent through the internet in plaintext for any eavesdropper to see. If you login over HTTPS, your password would be encrypted as it travels through the internet. It sounds like we have HTTPS for logins, but not for the rest of the forum traffic.
 
Dr. Zaus

Dr. Zaus

Lifer
Oct 16, 2008
11,764
347
126
Hm... my real name, email, and how much I admire Moon-Beam is secretly stored in my PMs..

This could be embarrassing
 
Leros

Leros

Lifer
Jul 11, 2004
21,867
7
81
I just read the sticky. It said they had access to our passwords. How is that possible?

Unless the forum software is doing something horrific, the only way I see this being possible is if they had javascript running on the login page. Is that what happened?
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,131
10,601
126
Leros said:
I just read the sticky. It said they had access to our passwords. How is that possible?

Unless the forum software is doing something horrific, the only way I see this being possible is if they had javascript running on the login page. Is that what happened?
Click to expand...

I wonder where the script was hosted. I had anandtech.com whitelisted, so anything not originating from that domain should have been blocked.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,623
13,818
126
www.anyf.ca
waggy said:
you know whats better? that was not the only time something like that happened.


for a tech site its really amazing how poor it is. with all the down time and "hacks" lol
Click to expand...

Yeah it is pretty sad. Some will argue "don't complain it's free" but come on, it's not so much complaining, as being amazed at the incompetence.

John Connor said:
I thought passwords in a forum were encrypted where not even a mod could see them?
Click to expand...

That's a good point... they're usually MD5 hashed. Every single program I've written that involves user passwords works that way. I wonder if they're actually stored in plain text lawls.
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,131
10,601
126
Red Squirrel said:
Yeah it is pretty sad. Some will argue "don't complain it's free" but come on, it's not so much complaining, as being amazed at the incompetence.
Click to expand...

I wouldn't get on them too hard. This is a fairly high profile site, with low penalties for having it subverted, and shit happens. As long as the leak is plugged, there isn't much more you can ask for.
 
waggy

waggy

No Lifer
Dec 14, 2000
68,143
10
81
lxskllr said:
I wouldn't get on them too hard. This is a fairly high profile site, with low penalties for having it subverted, and shit happens. As long as the leak is plugged, there isn't much more you can ask for.
Click to expand...

true. how many time has stuff happened. when something was "open" and people seen things they weren't supposed to.


again this is supposed to be a high level TECH site.
 
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Leros said:
Can't you just have HTTP requests get redirected to HTTPS? I think that's fairly simple to do in Apache.

I'm assuming you're using something like Apache or have an Apache in front of the forum server.
Click to expand...

Yeah, but you are still not going to do it until you test the whole site, and you probably don't want _all_ http links redirected to https. Things like images, scripts, and other static content (if not already hosted on an external cdn) should probably not be https.
 
John Connor

John Connor

Lifer
Nov 30, 2012
22,757
619
121
Well, I use Noscrip and a VPN so if it was something on the login it would have never happened on my end. I changed my password anyway. LOL
 
ViRGE

ViRGE

Elite Member, Moderator Emeritus
Oct 9, 1999
31,516
167
106
Leros said:
I just read the sticky. It said they had access to our passwords. How is that possible?

Unless the forum software is doing something horrific, the only way I see this being possible is if they had javascript running on the login page. Is that what happened?
Click to expand...
That's exactly how it worked. They put HTML in the title of a global announcement, which in turn loaded and activated a javascript file on any page that was visible (mainly forum indexes).

Red Squirrel said:
LOL wow, what are the odds. I'm guessing one would have needed to open that post for that exploit to work though? Also because it was most likely javascript or some other client side code I don't think encryption would have done anything anyway.
Click to expand...
As I mentioned to Leros, you didn't even need to open the announcement. Just looking at its title was good enough. That said, you are correct in that encryption would not have stopped any of this.

John Connor said:
Well, I use Noscrip and a VPN so if it was something on the login it would have never happened on my end. I changed my password anyway. LOL
Click to expand...
Obviously we didn't have time to test it, but anyone using NoScript or similar tools to block 3rd party javascipt should be safe, as the offending script was not hosted here.
 
Last edited:
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,623
13,818
126
www.anyf.ca
So how does it work, is it because mods can put html/javascript in titles/body? Or is this something anyone would actually be able to do?
 
ViRGE

ViRGE

Elite Member, Moderator Emeritus
Oct 9, 1999
31,516
167
106
Red Squirrel said:
So how does it work, is it because mods can put html/javascript in titles/body? Or is this something anyone would actually be able to do?
Click to expand...
It's because the mods can put HTML in titles and bodies. Regular members cannot put HTML in the forums. For that matter even mods cannot put HTML in standard posts. Global Announcements are one of the handful of places we can do that.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,623
13,818
126
www.anyf.ca
Oh ok I see that makes sense then.

I just remembered something funny. In my newer days of programming I had a html based log parser, basically I could view ALL web logs, or view by user agent, referrer, url etc.... It displayed it in a html table. Come to think of it, that thing is still live, but I have not used it in a long time.

Someone somehow figured or suspected I had such a system, and injected javascript into a request URI string. When I was looking at my logs I started getting popups and I was like WTF till I discovered what happened, then promptly fixed it.
 
Dr. Zaus

Dr. Zaus

Lifer
Oct 16, 2008
11,764
347
126
ViRGE said:
It's because the mods can put HTML in titles and bodies. Regular members cannot put HTML in the forums. For that matter even mods cannot put HTML in standard posts. Global Announcements are one of the handful of places we can do that.
Click to expand...

What's the value of this?
 
Leros

Leros

Lifer
Jul 11, 2004
21,867
7
81
ViRGE said:
That's exactly how it worked. They put HTML in the title of a global announcement, which in turn loaded and activated a javascript file on any page that was visible (mainly forum indexes).
Click to expand...

The forum software should be escaping script tags (and possibly other tags as well) from user provided HTML.
 
ViRGE

ViRGE

Elite Member, Moderator Emeritus
Oct 9, 1999
31,516
167
106
DixyCrat said:
What's the value of this?
Click to expand...
Honestly I have no real idea. BBCode is limited, so it's not unheard of to allow mods/admins to use HTML to setup something more powerful.
Leros said:
The forum software should be escaping script tags (and possibly other tags as well) from user provided HTML.
Click to expand...
Indeed it does. It just doesn't do that from mod provided HTML in the fields where we're allowed to use HTML. Mods can specifically choose whether to enable HTML or not in the announcements they create.
 
Leros

Leros

Lifer
Jul 11, 2004
21,867
7
81
ViRGE said:
Honestly I have no real idea. BBCode is limited, so it's not unheard of to allow mods/admins to use HTML to setup something more powerful.
Indeed it does. It just doesn't do that from mod provided HTML in the fields where we're allowed to use HTML. Mods can specifically choose whether to enable HTML or not in the announcements they create.
Click to expand...

Even in places where you choose to not escape HTML tags, you should still be escaping script tags to prevent these sorts of things from happening. There isn't a good enough reason (a reason worth the risk) to ever allow scripts to be provided.
 
ViRGE

ViRGE

Elite Member, Moderator Emeritus
Oct 9, 1999
31,516
167
106
Leros said:
Even in places where you choose to not escape HTML tags, you should still be escaping script tags to prevent these sorts of things from happening. There isn't a good enough reason (a reason worth the risk) to ever allow scripts to be provided.
Click to expand...
It's one of those things that you'd have to take up with the vB guys. We're just running a stock board with a couple of cosmetic changes. We don't have any control over whether mod provided scripts are escaped or not.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom