AT needs https

brianmanahan · Jul 14, 2013

vic, you didnt do the hack to illustrate a point, did you?

wait, he doesnt have a picture by his name now... :hmm:

Leros · Jul 14, 2013

John Connor said:
I thought passwords in a forum were encrypted where not even a mod could see them?

You're talking about the storage of passwords in the database. They should only be storing the hash of the password. To verify authentication, you hash the provided password and see if it matches the saved hash. You can't take the hash and generate the password, so you have the ability to verify passwords, but not the ability to view passwords.

This is a different issues. It's about encrypting traffic between the browser and the server. This is the most important during login when you're sending your plaintext password to the server. If you login over HTTP, your password is being sent through the internet in plaintext for any eavesdropper to see. If you login over HTTPS, your password would be encrypted as it travels through the internet. It sounds like we have HTTPS for logins, but not for the rest of the forum traffic.

Dr. Zaus · Jul 14, 2013

Hm... my real name, email, and how much I admire Moon-Beam is secretly stored in my PMs..

This could be embarrassing

brianmanahan · Jul 14, 2013

DixyCrat said:
Hm... my real name, email, and how much I admire Moon-Beam is secretly stored in my PMs..

This could be embarrassing

secrets out buddy

Leros · Jul 14, 2013

I just read the sticky. It said they had access to our passwords. How is that possible?

Unless the forum software is doing something horrific, the only way I see this being possible is if they had javascript running on the login page. Is that what happened?

lxskllr · Jul 14, 2013

Leros said:
I just read the sticky. It said they had access to our passwords. How is that possible?

Unless the forum software is doing something horrific, the only way I see this being possible is if they had javascript running on the login page. Is that what happened?

I wonder where the script was hosted. I had anandtech.com whitelisted, so anything not originating from that domain should have been blocked.

Red Squirrel · Jul 14, 2013

waggy said:
you know whats better? that was not the only time something like that happened.

for a tech site its really amazing how poor it is. with all the down time and "hacks" lol

Yeah it is pretty sad. Some will argue "don't complain it's free" but come on, it's not so much complaining, as being amazed at the incompetence.

John Connor said:
I thought passwords in a forum were encrypted where not even a mod could see them?

That's a good point... they're usually MD5 hashed. Every single program I've written that involves user passwords works that way. I wonder if they're actually stored in plain text lawls.

waggy · Jul 14, 2013

Red Squirrel said:
Yeah it is pretty sad. Some will argue "don't complain it's free" but come on, it's not so much complaining, as being amazed at the incompetence.

.

exactly.

lxskllr · Jul 14, 2013

Red Squirrel said:
Yeah it is pretty sad. Some will argue "don't complain it's free" but come on, it's not so much complaining, as being amazed at the incompetence.

I wouldn't get on them too hard. This is a fairly high profile site, with low penalties for having it subverted, and shit happens. As long as the leak is plugged, there isn't much more you can ask for.

waggy · Jul 14, 2013

lxskllr said:
I wouldn't get on them too hard. This is a fairly high profile site, with low penalties for having it subverted, and shit happens. As long as the leak is plugged, there isn't much more you can ask for.

true. how many time has stuff happened. when something was "open" and people seen things they weren't supposed to.

again this is supposed to be a high level TECH site.

Markbnj · Jul 14, 2013

Leros said:
Can't you just have HTTP requests get redirected to HTTPS? I think that's fairly simple to do in Apache.

I'm assuming you're using something like Apache or have an Apache in front of the forum server.

Yeah, but you are still not going to do it until you test the whole site, and you probably don't want _all_ http links redirected to https. Things like images, scripts, and other static content (if not already hosted on an external cdn) should probably not be https.

John Connor · Jul 14, 2013

Well, I use Noscrip and a VPN so if it was something on the login it would have never happened on my end. I changed my password anyway. LOL

Vic Vega · Jul 14, 2013

Just read the sticky. You can't make this stuff up.

ViRGE · Jul 14, 2013

Leros said:
I just read the sticky. It said they had access to our passwords. How is that possible?

Unless the forum software is doing something horrific, the only way I see this being possible is if they had javascript running on the login page. Is that what happened?

That's exactly how it worked. They put HTML in the title of a global announcement, which in turn loaded and activated a javascript file on any page that was visible (mainly forum indexes).

Red Squirrel said:
LOL wow, what are the odds. I'm guessing one would have needed to open that post for that exploit to work though? Also because it was most likely javascript or some other client side code I don't think encryption would have done anything anyway.

As I mentioned to Leros, you didn't even need to open the announcement. Just looking at its title was good enough. That said, you are correct in that encryption would not have stopped any of this.

John Connor said:
Well, I use Noscrip and a VPN so if it was something on the login it would have never happened on my end. I changed my password anyway. LOL

Obviously we didn't have time to test it, but anyone using NoScript or similar tools to block 3rd party javascipt should be safe, as the offending script was not hosted here.

Red Squirrel · Jul 14, 2013

So how does it work, is it because mods can put html/javascript in titles/body? Or is this something anyone would actually be able to do?

ViRGE · Jul 14, 2013

Red Squirrel said:
So how does it work, is it because mods can put html/javascript in titles/body? Or is this something anyone would actually be able to do?

It's because the mods can put HTML in titles and bodies. Regular members cannot put HTML in the forums. For that matter even mods cannot put HTML in standard posts. Global Announcements are one of the handful of places we can do that.

Red Squirrel · Jul 14, 2013

Oh ok I see that makes sense then.

I just remembered something funny. In my newer days of programming I had a html based log parser, basically I could view ALL web logs, or view by user agent, referrer, url etc.... It displayed it in a html table. Come to think of it, that thing is still live, but I have not used it in a long time.

Someone somehow figured or suspected I had such a system, and injected javascript into a request URI string. When I was looking at my logs I started getting popups and I was like WTF till I discovered what happened, then promptly fixed it.

Dr. Zaus · Jul 14, 2013

ViRGE said:
It's because the mods can put HTML in titles and bodies. Regular members cannot put HTML in the forums. For that matter even mods cannot put HTML in standard posts. Global Announcements are one of the handful of places we can do that.

What's the value of this?

lxskllr · Jul 14, 2013

DixyCrat said:
What's the value of this?

Lets you launch scripts to harvest passwords.

brianmanahan · Jul 14, 2013

AT needs Jesus

Dr. Zaus · Jul 14, 2013

lxskllr said:
Lets you launch scripts to harvest passwords.

Hahahah yea...

Leros · Jul 14, 2013

ViRGE said:
That's exactly how it worked. They put HTML in the title of a global announcement, which in turn loaded and activated a javascript file on any page that was visible (mainly forum indexes).

The forum software should be escaping script tags (and possibly other tags as well) from user provided HTML.

ViRGE · Jul 14, 2013

DixyCrat said:
What's the value of this?

Honestly I have no real idea. BBCode is limited, so it's not unheard of to allow mods/admins to use HTML to setup something more powerful.

Leros said:
The forum software should be escaping script tags (and possibly other tags as well) from user provided HTML.

Indeed it does. It just doesn't do that from mod provided HTML in the fields where we're allowed to use HTML. Mods can specifically choose whether to enable HTML or not in the announcements they create.

Leros · Jul 14, 2013

ViRGE said:
Honestly I have no real idea. BBCode is limited, so it's not unheard of to allow mods/admins to use HTML to setup something more powerful.
Indeed it does. It just doesn't do that from mod provided HTML in the fields where we're allowed to use HTML. Mods can specifically choose whether to enable HTML or not in the announcements they create.

Even in places where you choose to not escape HTML tags, you should still be escaping script tags to prevent these sorts of things from happening. There isn't a good enough reason (a reason worth the risk) to ever allow scripts to be provided.

ViRGE · Jul 14, 2013

Leros said:
Even in places where you choose to not escape HTML tags, you should still be escaping script tags to prevent these sorts of things from happening. There isn't a good enough reason (a reason worth the risk) to ever allow scripts to be provided.

It's one of those things that you'd have to take up with the vB guys. We're just running a stock board with a couple of cosmetic changes. We don't have any control over whether mod provided scripts are escaped or not.

AT needs https

Lifer

Lifer

Lifer

Lifer

Lifer

No Lifer

No Lifer

No Lifer

No Lifer

No Lifer

Elite Member <br>Moderator Emeritus

Lifer

Diamond Member

Elite Member, Moderator Emeritus

No Lifer

Elite Member, Moderator Emeritus

No Lifer

Lifer

No Lifer

Lifer

Lifer

Lifer

Elite Member, Moderator Emeritus

Lifer

Elite Member, Moderator Emeritus