I have some unfortunate news, TWHL was victim to an SQL injection attack yesterday which compromised the database. The attack was by a grey-hat hacker who is assisting us with plugging up the security holes. While we don't think data was stolen for malicious purposes, it's still quite possible that your TWHL password has been compromised.Some basic info on this:
If you're using the same password elsewhere, you should change it. I would recommend changing your TWHL password as well.
- The attack was an SQL injection. Usually, these are prevented with proper database access code and paying careful attention to security. Unfortunately when the TWHL code was written, I wasn't so careful. Most queries are escaped properly, but a few were not.
- After the SQL injection was discovered, an unknown method was used to extract the database password from the mysql configuration data. I don't know how this was done. After the password was extracted, he gained full access to the database.
- Usually database passwords are encrypted in a way that cannot be reversed. TWHL was using a hashing method, but one that was cracked a long, long time ago. It's no longer secure and not much better than storing passwords in plain text. Because of this, you should consider your TWHL password to be compromised and if you use this password anywhere else, change it now.
- We are working on plugging up the current security holes so that they are no longer a valid attack point. I've run through all the pages and fixed any issues I could find, however I'm still waiting on some extra tests to be done before I can give the all-clear.
- In the longer term, we'll be working on making the password storage secure to avoid this thing happening again. Migrating passwords like that isn't exactly easy, so please give us a few weeks to try and get a mechanism in place.
- We're also making an effort to stabilise the code base to prevent attacks like this from being possible in the future. This will take a while, so please be patient.
