Note: Any new updates will be added to the bottom of the article.
Tonight my family time was interrupted by notifications that a possible security issue had been discovered in our code. This is a full disclosure to let you know what happened.
A user in our IRC made an issue with our article tag searching system public without informing us in private first leading me to jump to the computer to fix it.
I fixed it within ~20 minutes of being personally told about it and it's extremely doubtful it will cause any actual issues.
In future I would appreciate being told in private about any possible security issues. It's standard procedure to notify people in private to give them time to fix it. Putting it out in public right away, to be blunt, is a completely irresponsible thing to do. Luckily, we aren't a bank or anything that stores any sensitive information.
For the record: We do use strong encryption on passwords and salts, so there shouldn't be any need to worry about that! With that said, please remember never to share passwords across any website, ever. I'm sure I don't need to tell you that anyway, but it's always good to have a reminder on it.
Essentially, they were able to see some random session information. We do not store anything sensitive in sessions. We do not store your password, email or anything like that in sessions.
We have a good track record when it comes to security issues. In our entire history a total of 4 have ever been found. All of which were fixed within an hour of being notified, this was a special case as we were not told about it privately.
If people do discover security issues and notify me in private allowing me a decent amount of time to fix it, then there may possibly be rewards for those who discover them.
Moving forward, I will be double checking all possible user input for similar issues. So far, I haven't found any other issues. Rest assured, it will be learnt from and hopefully this will not happen again. If it does, you can be sure I will always notify you and always look to fix it ASAP.
All fun and games eh?
Thank you for your support!
Update: Please see this comment about additional security measures I have now implemented. Article taken from GamingOnLinux.com.
Tonight my family time was interrupted by notifications that a possible security issue had been discovered in our code. This is a full disclosure to let you know what happened.
A user in our IRC made an issue with our article tag searching system public without informing us in private first leading me to jump to the computer to fix it.
I fixed it within ~20 minutes of being personally told about it and it's extremely doubtful it will cause any actual issues.
In future I would appreciate being told in private about any possible security issues. It's standard procedure to notify people in private to give them time to fix it. Putting it out in public right away, to be blunt, is a completely irresponsible thing to do. Luckily, we aren't a bank or anything that stores any sensitive information.
For the record: We do use strong encryption on passwords and salts, so there shouldn't be any need to worry about that! With that said, please remember never to share passwords across any website, ever. I'm sure I don't need to tell you that anyway, but it's always good to have a reminder on it.
Essentially, they were able to see some random session information. We do not store anything sensitive in sessions. We do not store your password, email or anything like that in sessions.
We have a good track record when it comes to security issues. In our entire history a total of 4 have ever been found. All of which were fixed within an hour of being notified, this was a special case as we were not told about it privately.
If people do discover security issues and notify me in private allowing me a decent amount of time to fix it, then there may possibly be rewards for those who discover them.
Moving forward, I will be double checking all possible user input for similar issues. So far, I haven't found any other issues. Rest assured, it will be learnt from and hopefully this will not happen again. If it does, you can be sure I will always notify you and always look to fix it ASAP.
All fun and games eh?
Thank you for your support!
Update: Please see this comment about additional security measures I have now implemented. Article taken from GamingOnLinux.com.
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
Thank you for being open about it, communication is key, too many companies have shown how not to do it!
Continue the good work :)
Continue the good work :)
5 Likes, Who?
thank you for letting us know.
Changed my password just in case, but i think it was safe anyway.
Changed my password just in case, but i think it was safe anyway.
0 Likes
Quoting: GuestCould someone have my email address now? :( what kind of issue it was?Not likely, from what I understand it allowed them to see session information. We don't store anything sensitive in a session, as that would be dumb. Honestly, there's no reason to worry I am just being open about an issue we had today which was promptly fixed by me. An email address was never stored in the session, for reasons such as this.
I have also just implemented a new security measure: To change an account email address, they need to know the password. This will stop any possible changing of email, to any possible attacker then resetting the password by email. That now simply cannot happen.
That was already in place for changing your password, but now there's no way to change your email either without actually knowing your password.
I also just added in another feature: When a password or email address on an account are changed, an email is sent to make you aware. Obviously for email changing, this notification is sent to the old email address.
We also, by default, email you whenever someone new logs into your account, that has been in place for a long time now.
Hope that helps clear up any doubts about us and about how seriously I take any security issue, even when it's a small one.
1 Likes, Who?
Changed my password as well. And even if I hadn't, I only use it for this site anyway.
0 Likes
I changed my password as well just to be safe. Thanks for letting us know right away.
0 Likes
Well, was the session authentication information available, or was this one hashed as well? If the former, wouldn't login everyone out be a good security measure? That said, I was logged out on my desktop, so you might have done it already.
0 Likes
Quoting: M@yeulCWell, was the session authentication information available, or was this one hashed as well? If the former, wouldn't login everyone out be a good security measure? That said, I was logged out on my desktop, so you might have done it already.I actually removed all sessions and implemented a new bit of code to help with that, so that should have been done anyway to be sure.
2 Likes, Who?
Thank you for taking the site's and its users' security seriously, liam!
2 Likes, Who?
Further to the above, I have spoken to our web-host and they have changed our PHP configuration to improve security for the session cookie.
We are now also now regenerating the session every so often to mitigate future annoyances.
I have also now properly spoken to the person who highlighted it.
Edit: Random extra word.
Last edited by Liam Dawe on 25 January 2017 at 9:33 pm UTC
We are now also now regenerating the session every so often to mitigate future annoyances.
I have also now properly spoken to the person who highlighted it.
Edit: Random extra word.
Last edited by Liam Dawe on 25 January 2017 at 9:33 pm UTC
0 Likes
Quoting: GuestWhile we're on the topic of security.. our login names should ideally be different from our public usernames. More and more sites are making you sign in with your privately stored email address rather than your publicly visible username. If the username is known, half of the login credentials have already been obtained. It's best to give an attacker no information to go on.That's an interesting point you have there. We have half of this done, as we moved to allow email logins some time ago. At some point it might be a good idea then to remove username based logins.
0 Likes
Patreon
PayPal
See more from me