Fur Affinity restoring from six-day-old backups after server compromised; site source code distributed at BLFC
I'm hoping @furaffinity's data is still safe. Just before it went down, every submission I tried to view said "submission not in database"
— Alioth Fox (@AliothFox) May 17, 2016
Fur Affinity has been "pulled offline temporarily" after users' accounts and submissions went missing.
Update (21 May): FA returned for a day, but is now in read-only mode. Passwords were said to be hashed and salted, but if you've used the same one elsewhere, now is the time to change it to be unique per-site.
Update 2 (23 May): Fur Affinity has returned; however, all passwords have been reset, which is causing problems for those with an old/invalid email address.
It has been confirmed that an exploit was used to copy Fur Affinity's source code, later distributed at Biggest Little Fur Con. A subsequent attack deleted user profiles, submissions, and watches.
FA users took to Twitter and the Fur Affinity Forums looking for answers – which appeared to have been preemptively provided by a post asking "What would you do if you found an exploit on FA?", posted last Sunday on the Phoenixed Forums. However, more recent posts by the original poster disclaim responsibility.
The recent "ImageTragick" vulnerability in widely-used processing library ImageMagick was soon turned into an exploit and has been identified by FA as the original attack vector.
Fur Affinity community manager Dragoneer reports that backups exist, but are six days old:
The majority [of the site's data is secure], yes. The backup we have is 6 days old. We're still going through and trying to determine the extent of the issue, and once we have more information, we'll post it publicly and give a full, transparent run down of what happened.
Staff have since "restored a majority of the content which was lost" and are continuing their security audit.
Traffic on Inkbunny and Weasyl spiked 40% on the news, while Furry Network removed its invite requirement for registration earlier today.
We had to pull Fur Affinity offline temporarily. We will provide more information on the downtime once we are able to do so.
— Fur Affinity (@furaffinity) May 17, 2016
@furaffinity yeah so the "User does not exist!" error was given to me on my own page, which does (did?) exist. Really wondering what's up.
— Ray Uildriks (@TuxedoDemon) May 17, 2016
@durangodingo @furaffinity I didn't do anything. I refreshed the page and then it said "Fatal System Error" on my own page.
— Birthday Hybrid (@RedMercury7192) May 17, 2016
@Sixelsixel @furaffinity it logged me out, said my username didn't exist, and suddenly it was down. Oh FA. So reliable :'D
— Nathaniel Manns (@NateAnimate) May 17, 2016
Somebody got the source code through the ImageTragick exploit (which we patched on May 5th). We assume they put them on flash drives and distributed them out, or left them in public places hoping for them to be found. We don't really have any other information.
On of the BLFC security staffers found the drives and notified and FAU staffer who was at the con, and we were able to get a copy of the contents sent over via Skype to start analyzing.
Flash drive said by Dragoneer to contain Fur Affinity source code. Several were found at BLFC.
Comments
Here's a little ditty I composed on a different site.
"FA gets pushed up!
Then it falls down again.
You're never gonna keep it up.
It gets pushed up.
Then it falls down again.
You're never gonna keep it up."
"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~
the reason furry network removed their invite feature today is because they had a launch party at BLFC.
https://twitter.com/BiggestLittleFC/status/731204146779410432
http://forums.furaffinity.net/threads/5-17-site-attack.1530523/
FurAffinity notes that FA's site code was being handed around on USBs.
I'm gonna have to doc you a point for the headline GreenReaper. The thread you linked to seems to claim it was just coincidental timing for their inquiry.
It appeared to be at the time, but as you say, it's now claimed to be a completely different exploit.
Breaking news! Updated the article an hour ago, will tweak the title too.
Based on the information available, I'm betting that the leaked source code included connection strings that let someone connect directly to their database and start dropping tables. It's possible that there were other ways in, but this would definitely be the quickest.
What that means is that the database server is not using a whitelist or VPN - it's just right out in the open for anyone with the right credentials to jump in and wreak havoc. This was a big disaster waiting to happen.
As soon as the staff learned that source code had leaked, they should have reacted immediately by changing passwords and limiting database access.
In the FAF thread, when someone pointed out that FA's history of insecurity is no secret and staff should have long ago allocated resources to setting up daily backups and a "full security audit" of their system, Dragoneer naturally passed off the blame to the ImageMadgick exploit. Yes, the same one that he JUST claimed had already been patched before the attack. ¯\_(ツ)_/¯
Trusting Dragoneer to deliver accurate and timely cybersecurity incident news is like trusting a 5-year old to pilot a jetliner filled with people. It is far too early to say if data is safe. Don't even get me started on Dragoneer's definition of Transparency.
Website Transparency:
Using PNG files with an alpha channel.
If the source code was open source, there would be no need to make it public through shady means
Right, but releasing existing code that has multiple contributors as Open Source is usually a difficult task.
Sadly the one attempt to rewrite FA as Open Source didn't go anywhere.
There have been at least five attempts to recode FA, many of which were open source promised.
Not one. :D
It reminds one of the Dallas Airport's baggage system. Some errors just did not respond to debugging over & over. Repeatedly it would throw luggage against the walls. Finally, with substantial delays in opening the airport already resulting, they scrapped the entire program and the airport opened with workers carrying the baggage by hand. That despite the ads emphasizing computerized baggage handling.
The timing of the Phoenixd thread seems very conincidental, and of course the original poster would claim that he didn't do it. I'm not saying someone from Phoenixd did it, but saying "I didn't do it" does put a person above suspicion
*doesn't
It's a good thing I am pretty much a nobody on FA at this point. Guess that raises the chances of my account being untouched. On May 15th it was still there at least.
Well, I'll be...
I've been locked out of mine for... four years? Maybe hackers will let me back in and see what messages I got.
"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~
That quote was made in the anti-McCarthy fantasy, the Investigator. My father had a 33rp LP which I now own.
McCarthy dies in a plane crash, and in heaven, assumes control of the Investigative Committee , to determine newcomers' fitness to live there. He opens a re-inbestigation perceiving corruption & laxness on the part of St.Peter, the gatekeeper. A great number of people get thrown out of heaven, until the Devil complains of all these people banished to his realm -and causing no end of trouble with their agitation.
Well, looks like my account is untouched.
Well, I'll be...
Extremely important update: FA passwords have been compromised! Many furries reporting that offsite accounts have had attempts:
https://twitter.com/theMainKitteh/status/733740991505567744
https://twitter.com/loudjill/status/733673972194287616
https://twitter.com/Kalmor_Isvaeng/status/733654981786636288
Call me a jerk but good. People need to move off of that hole riddled site already.
It's not that FA is a bad site, but Dragoneer is doing a piss poor job of handling things. A lot of furries I spoke to would like him to resign in favor of someone else that's more capable of doing a better job.
Fur Affinity has returned, having reset all passwords, added a CAPTCHA, and reduced the access of their database user, along with various other security tweaks. The first of these has caused sign-in problems for users with old or throwaway email addresses, while the second has broken importers such as FA2IB and Furry Network's integrated importer.
Oh, and Motherboard noticed, so there's that.
As a public service announcement, I can confirm there is a deep web site where anyone can find any FurAffinity user's email address by typing in their account name.
I won't name the site of course, as it's a security issue and can be used to harass people, just know I can confirm that it exists and it is legitimate...
"Dragoneer does __________, Weasyl traffic spikes"
I know history repeats itself, but "furry history" seems to be in some Star Trek style temporal loop!
Post new comment