Fur Affinity comment hiding feature introduced, exploited
Security flaws in a feature introduced to Fur Affinity this week have led to the indiscriminate hiding of comments throughout the site, after an attacker exploited flaws in the comment system.
The attacker said their intention was to raise awareness of the issues, after being initially rebuffed by site coders. However, their actions hurt innocent users, including artists who found their commission references hidden.
The new feature was intended to allow attributed hiding of comments by account owners, comment posters, and administrators.
Three separate flaws were found by the attacker, who was banned from the site after using the last to randomly hide comments with a script:
- Hidden comments could be exposed through the non-Javascript reply mechanism if the comment ID was known
- Comments could be hidden by causing a logged-in user to visit a page with image links to URLs which perform actions – a long-term flaw which can also be used to force users to +fav, watch and delete submissions
- Any comment could be hidden by the owner of any submission by modifying the URL provided to hide a comment on their own work
The site was placed into read-only mode for several hours in an attempt to stop the attack, but read-only mode does not prevent hiding.
Update: Rakuen Growlithe pointed out a thread with problem reports, and notes that admins are fixing comments when notified by trouble ticket.
About the author
GreenReaper (Laurence Parry) — read stories — contact (login required)a developer, editor and Kai Norn from London, United Kingdom, interested in wikis and computers
Small fuzzy creature who likes cheese & carrots. Founder of WikiFur, lead admin of Inkbunny, and Editor-in-Chief of Flayrah.
Comments
Sigh. I hadn't seen this and had just finished writing my own story on this then after I clicked submit my RSS refreshed and this came up.
"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~
Only Furaffinity.
Least it wasn't as bad as SoFurry's password leak.
It might as well be.
The coder was notified of the (very silly) holes but just didn't care. Not until the damage is widespread was any action taken...
According to one source they were only given 48 hours of warning and had planned on dealing with the issue on the weekend when the perpetrator decided to exploit what they had reported on.
However what makes this whole thing confusing is that there are actually 3 exploits in question (maybe more out there), one that was a long time problem which needed to be fixed, another which is recent that the hacker reported on the Wednesday, and a third in which was exploited by the hacker.
I mean yes, they certainly need to get their code in line, though the "Just didn't care" thing was an opinion by the hacker that has stuck around as their justification.
Which even if the site said "We don't care", it doesn't really mean "Make us care", and doesn't give someone permission to violate other people they don't know just to prove a point.
The only difference between a white hat and a black hat is permission to demonstrate exploits. From what I have gathered FA was fine when he was using the exploit against the admins to demonstrate, but then started to do it random users, to which the exploiter admitted to and after discussions apologized for those inconveniences he had caused on his Twitter.
The attacker stated that it should have taken about 10 seconds for site management to undo their demonstration. If we assume that's correct, that would put them back in "white hat" (or at worst "grey hat") territory, even if the site management instead decided to take some other approach.
I also think they're correct in making this a difficult-to-ignore issue, because (per description) the vulnerabilities are easy to recognize by looking at the site's behavior (they can be found again by anyone with malicious intent). Repairing the vulnerabilities is the only way to prevent greater harm from occurring (from someone who actually does want to do damage).
No doubt. In fact the hidden comment is just a iceberg tip, looking at the tests one on my watch list performed it seems far worst things are possible including one that most furries would abuse the hell out of it they knew of it.
Just like The Gulf Oil Spill...
dumbass If you wanted to do the site a favor by showing it's security holes you show them to the admins. This is the equivalent of punching someone in the face to prove they have defensive flaws.
OR He probably did realized he got cought and tried to save his ass by saying he was doing them a favor.
Doubtful, both the administration and the perpetrator admit to having discussion about the issue 48 hours prior to the shut down. If the perp was fully malicious he wouldn't have said a thing prior to doing it.
But, that said, if they didn't ban him for this, it would set a bad precedent. The reason you exploit the code should be moot, if they didn't ban him for doing it because he was 'doing it for their own good', it opens up the possibility for someone more malicious to use that excuse.
Post new comment