Note: Any new updates will be added to the bottom of the article.
Tonight my family time was interrupted by notifications that a possible security issue had been discovered in our code. This is a full disclosure to let you know what happened.
A user in our IRC made an issue with our article tag searching system public without informing us in private first leading me to jump to the computer to fix it.
I fixed it within ~20 minutes of being personally told about it and it's extremely doubtful it will cause any actual issues.
In future I would appreciate being told in private about any possible security issues. It's standard procedure to notify people in private to give them time to fix it. Putting it out in public right away, to be blunt, is a completely irresponsible thing to do. Luckily, we aren't a bank or anything that stores any sensitive information.
For the record: We do use strong encryption on passwords and salts, so there shouldn't be any need to worry about that! With that said, please remember never to share passwords across any website, ever. I'm sure I don't need to tell you that anyway, but it's always good to have a reminder on it.
Essentially, they were able to see some random session information. We do not store anything sensitive in sessions. We do not store your password, email or anything like that in sessions.
We have a good track record when it comes to security issues. In our entire history a total of 4 have ever been found. All of which were fixed within an hour of being notified, this was a special case as we were not told about it privately.
If people do discover security issues and notify me in private allowing me a decent amount of time to fix it, then there may possibly be rewards for those who discover them.
Moving forward, I will be double checking all possible user input for similar issues. So far, I haven't found any other issues. Rest assured, it will be learnt from and hopefully this will not happen again. If it does, you can be sure I will always notify you and always look to fix it ASAP.
All fun and games eh?
Thank you for your support!
Update: Please see this comment about additional security measures I have now implemented. Article taken from GamingOnLinux.com.
Tonight my family time was interrupted by notifications that a possible security issue had been discovered in our code. This is a full disclosure to let you know what happened.
A user in our IRC made an issue with our article tag searching system public without informing us in private first leading me to jump to the computer to fix it.
I fixed it within ~20 minutes of being personally told about it and it's extremely doubtful it will cause any actual issues.
In future I would appreciate being told in private about any possible security issues. It's standard procedure to notify people in private to give them time to fix it. Putting it out in public right away, to be blunt, is a completely irresponsible thing to do. Luckily, we aren't a bank or anything that stores any sensitive information.
For the record: We do use strong encryption on passwords and salts, so there shouldn't be any need to worry about that! With that said, please remember never to share passwords across any website, ever. I'm sure I don't need to tell you that anyway, but it's always good to have a reminder on it.
Essentially, they were able to see some random session information. We do not store anything sensitive in sessions. We do not store your password, email or anything like that in sessions.
We have a good track record when it comes to security issues. In our entire history a total of 4 have ever been found. All of which were fixed within an hour of being notified, this was a special case as we were not told about it privately.
If people do discover security issues and notify me in private allowing me a decent amount of time to fix it, then there may possibly be rewards for those who discover them.
Moving forward, I will be double checking all possible user input for similar issues. So far, I haven't found any other issues. Rest assured, it will be learnt from and hopefully this will not happen again. If it does, you can be sure I will always notify you and always look to fix it ASAP.
All fun and games eh?
Thank you for your support!
Update: Please see this comment about additional security measures I have now implemented. Article taken from GamingOnLinux.com.
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
Quoting: liamdaweQuoting: GuestIt's more like giving a lit match to someone next to petrol :PQuoting: EikeWhile disclosing security concerns publicly without having communicated privatly before is obviously not the optimal thing to do, it's still probable that the guy on IRC made the website more safe, not more unsafe.I’ll go light a fire in your wood house so then you’ll thank me for having shown you that is was not safe, eh?
The analogy has more flaws, as the owner of the wooden house already knows that it could burn and you didn't know about the security problem. As said: It's safer now, and it wouldn't be if he wouldn't have looked at the sources.
0 Likes
I have a Question do you mean Hash or do you realy store our password with a encryption? "We do use strong encryption on passwords and salts"
0 Likes
Quoting: erlaanI have a Question do you mean Hash or do you realy store our password with a encryption? "We do use strong encryption on passwords and salts"We use PHP's "password_hash" function with the PASSWORD_BCRYPT option.
0 Likes
Thanks to Eike, i was wondering if i was the only one to thanks the guy on IRC for his help. I know liamdawe that it's sure been a really unfunny moment considering you was planning somes time with your familly and this user didn't act as he supposed to do. But he still helped us. Also, the affected part of the website seems to contains dumb data(Last viewed url, time viewing current page, etc.), i'm not even sure it's was worth quitting your familly for that...
0 Likes
Quoting: Eric1212Thanks to Eike, i was wondering if i was the only one to thanks the guy on IRC for his help. I know liamdawe that it's sure been a really unfunny moment considering you was planning somes time with your familly and this user didn't act as he supposed to do. But he still helped us. Also, the affected part of the website seems to contains dumb data(Last viewed url, time viewing current page, etc.), i'm not even sure it's was worth quitting your familly for that...The problem I had, was messages deemed as urgent from multiple people telling me about security issues and demanding I get to the computer. This caused quite a panic, but it wasn't a big issue in the end.
I am thankful and I've chatted to the guy who highlighted and thanked them personally.
Last edited by Liam Dawe on 26 January 2017 at 1:49 pm UTC
2 Likes, Who?
Patreon
PayPal
See more from me