TWHL Database Hack Created 11 years ago2013-03-09 06:17:26 UTC by Penguinboy Penguinboy

Created 11 years ago2013-03-09 06:17:26 UTC by Penguinboy Penguinboy

Posted 11 years ago2013-03-09 06:19:35 UTC Post #312942
Use this thread for discussion of the recent hack. See the news post on the front page:
I have some unfortunate news, TWHL was victim to an SQL injection attack yesterday which compromised the database. The attack was by a grey-hat hacker who is assisting us with plugging up the security holes. While we don't think data was stolen for malicious purposes, it's still quite possible that your TWHL password has been compromised.

If you're using the same password elsewhere, you should change it. I would recommend changing your TWHL password as well.
Some basic info on this:
  • The attack was an SQL injection. Usually, these are prevented with proper database access code and paying careful attention to security. Unfortunately when the TWHL code was written, I wasn't so careful. Most queries are escaped properly, but a few were not.
  • After the SQL injection was discovered, an unknown method was used to extract the database password from the mysql configuration data. I don't know how this was done. After the password was extracted, he gained full access to the database.
  • Usually database passwords are encrypted in a way that cannot be reversed. TWHL was using a hashing method, but one that was cracked a long, long time ago. It's no longer secure and not much better than storing passwords in plain text. Because of this, you should consider your TWHL password to be compromised and if you use this password anywhere else, change it now.
How we are working to prevent this issue moving forward:
  • We are working on plugging up the current security holes so that they are no longer a valid attack point. I've run through all the pages and fixed any issues I could find, however I'm still waiting on some extra tests to be done before I can give the all-clear.
  • In the longer term, we'll be working on making the password storage secure to avoid this thing happening again. Migrating passwords like that isn't exactly easy, so please give us a few weeks to try and get a mechanism in place.
  • We're also making an effort to stabilise the code base to prevent attacks like this from being possible in the future. This will take a while, so please be patient.
If you have any questions or concerns please feel free to ask and I will try to answer them as well as I can.
Penguinboy PenguinboyHaha, I died again!
Posted 11 years ago2013-03-09 07:12:15 UTC Post #312943
He helped by hacking and showing the errors, but deleting those few maps was no help at all. You can actually see some posts on a web archive and see what all he did.

And to top that all off, he had bad Grammar. But I'm just wondering, since you know what all he did, can YOU also hack the same way? I mean, making a cure is like being the creator of the virus and being able to stop it, so you have some techniques to hacking and stuff, right?
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 07:21:32 UTC Post #312944
Technically, Penguinboy (or any coder really) has to have knowledge of how to perform these attacks if he wants to write code that protects against them.
Posted 11 years ago2013-03-09 07:30:56 UTC Post #312945
So he is basically a hacker himself.
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 07:34:53 UTC Post #312946
When you know how things work, the difference lies in what you use your knowledge for.
Posted 11 years ago2013-03-09 07:40:52 UTC Post #312948
Penguinboy, VERY IMPORTANT question! I just changed my pw, I want to change it again, is there a log or history of this on the site now??
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 07:47:39 UTC Post #312949
No, once you change your password, the old one is no longer stored in the database.
Penguinboy PenguinboyHaha, I died again!
Posted 11 years ago2013-03-09 07:56:29 UTC Post #312950
PB just fyi, i tried updating the screenie with a link and browsing for a file, but it won't let me save it fsr.

Also, would it be hard to enact a "steam guard" type protection for passwords, so if someone tries logging in from a different location, you'd have to use the email code to proceed?
Captain Terror Captain Terrorwhen a man loves a woman
Posted 11 years ago2013-03-09 08:01:36 UTC Post #312951
Good response time Pb, you handled that very well. I appreciate your hard work.

Yes Ghost129er, people who create security systems have to be hackers, this is why there are terms like white, grey and black hat hackers.
Posted 11 years ago2013-03-09 08:02:13 UTC Post #312952
CapT: I think you changed the location of the map download rather than the screenshot. If you try and download your map now, it goes to the screenshot hosted on imgur.

In the map page you get two inputs, the first one is for the map download (which supports links and uploads), the second one is for the screenshot (which only supports uploads).
Penguinboy PenguinboyHaha, I died again!
Posted 11 years ago2013-03-09 08:24:27 UTC Post #312953
Ghost, it's like having a gun. You can either shoot criminals, or you can shoot children. Either way, yes, you still have a gun, it's how you use it that counts.

And that's ignoring the fact you shouldn't be shooting anybody, or else the metaphor kinda falls apart.
Jessie JessieTrans Rights <3
Posted 11 years ago2013-03-09 08:30:18 UTC Post #312954
doh thanks pb that was it =)
Captain Terror Captain Terrorwhen a man loves a woman
Posted 11 years ago2013-03-09 09:38:08 UTC Post #312955
Plugging up sql injections takes absolutely no hacking experience at all.... All it takes is understanding.
Posted 11 years ago2013-03-09 10:51:56 UTC Post #312956
A little suggestion: reCaptcha. I have used this in my site experiments and I know it works, but I don't know how it handles multiple logins per day. Perhaps add "remember me"
functionality.
Curious "white hat hacker" who destroys site content. What actually happened to the site? Did he leave any messages?
[edit] Does "Maiku" has anything to do with this? Seems like he registered just yesterday.
[edit2] Also, what kind of guy hacks random sites just to help their webmasters?
Striker StrikerI forgot to check the oil pressure
Posted 11 years ago2013-03-09 11:06:18 UTC Post #312957
True that Striker, this isnt even a popular page, Im not offending members that way, but it's not like facebook or gamebanana, if you know what I mean. Someone had a reason. It took sometime to find this community when I started off.
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 11:16:24 UTC Post #312958
I don't hack random sites to help their webmasters, I do it purely out of fun. I've never actually spoken to any webmasters other then PB... And I registered a few hours ago, what does that have to with anything?
Posted 11 years ago2013-03-09 11:17:16 UTC Post #312959
... There he is. But why would you register here? o_0
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 11:19:30 UTC Post #312960
I was helping PB find more holes, we're still chillin on IRC as well if you wanna hop on.
Posted 11 years ago2013-03-09 11:20:45 UTC Post #312961
So are you the hacker or what? I'm just getting mind f***** right now. SO MUCH CONFUSION! *A*
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 11:27:46 UTC Post #312962
Yes lol
Posted 11 years ago2013-03-09 11:32:53 UTC Post #312963
...
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 11:38:21 UTC Post #312964
Yes, Maiku was the one who hacked the site, then he was nice enough to let me know what the exploit was, help me to get it fixed, and then test the fixes to make sure the security hole was properly patched. We're lucky that it wasn't somebody who wanted to do more damage, as they certainly could have caused a lot more havoc than what ended up happening.
Penguinboy PenguinboyHaha, I died again!
Posted 11 years ago2013-03-09 12:31:52 UTC Post #312965
I still find it unethical. I now understand his help, but still don't get it why he had to affect database content.
Striker StrikerI forgot to check the oil pressure
Posted 11 years ago2013-03-09 12:35:25 UTC Post #312966
Could have definitely been a lot worse, yeah. Glad to see the site is up and running, and the perpetrator is working with site authorities to prevent the problem from happening in the future!
Notewell NotewellGIASFELFEBREHBER
Posted 11 years ago2013-03-09 12:50:08 UTC Post #312967
I didn't mean to delete the maps, it was a side effect of the the program.
Posted 11 years ago2013-03-09 12:52:05 UTC Post #312968
CStriker: THATS EXACTLY WHAT I SAID FIRST!
He helped by hacking and showing the errors, but deleting those few maps was no help at all
Hacker: Which program??? :3
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 13:03:25 UTC Post #312969
Mine
Posted 11 years ago2013-03-09 13:08:43 UTC Post #312970
__________________________
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 13:11:39 UTC Post #312971
Hehe, well I didn't give it a name, actually it consists of multiple different tools.
Posted 11 years ago2013-03-09 13:17:44 UTC Post #312972
Well, you can name it TWHL:

The
Whole
Hacking
Leopard

Just saying :3
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 13:24:07 UTC Post #312973
Fine, I will just for you :P
Posted 11 years ago2013-03-09 13:25:46 UTC Post #312974
They don't just open up Hacklolz.exe. Don't you have any idea how it works?
Jessie JessieTrans Rights <3
Posted 11 years ago2013-03-09 13:36:20 UTC Post #312975
Yeah I read everything.
TWHL was victim to an SQL injection attack yesterday
And he is still going to name it.
:ciggie:
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 15:49:11 UTC Post #312976
Haha is that a cigarette in your smilies mouth?
Posted 11 years ago2013-03-09 16:11:42 UTC Post #312977
Yeah, it's in the [Show Smilies]
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 17:13:09 UTC Post #312978
Sometimes, progress needs sacrifice. Hacking is a powerful skill and knowing that Maiku decided to be a Jedi about it is a fucking miracle.

Come to think about it, white hats can make a butt-fuckin-shit-ton of money.

:ciggie:
Rimrook RimrookSince 2003
Posted 11 years ago2013-03-09 17:22:31 UTC Post #312979
... if you use this password anywhere else, change it now.
Counts over 90% websites he visits
Well fuck.
Stojke StojkeUnreal
Posted 11 years ago2013-03-09 17:33:22 UTC Post #312980
Excuse Ghost. He seems to have put 1337 hacking on some mental pedestal.
Posted 11 years ago2013-03-09 18:00:51 UTC Post #312981
Lol Stojke, I posted the exact same thing on the shoutbox when the under maintenance (we got hacked) screen appeared. It took time, but was worth it. Changed 103 passwords today. B|

@Soupminer: ???
Ghost129er Ghost129erSAS1946 Certified Nuisance
Posted 11 years ago2013-03-09 18:34:44 UTC Post #312982
There was once a beautiful street with lime trees. Here there was a nice looking house, modern architecture and all. A guy passed near the house, and suddenly he became curious about this mysterious house he had never seen. He used his lock-picking skill to test the door, and magically, the door opened. He decided it would be polite to sit on the couch and wait for the family to come home and brief them about their defective door.
So the family came and was surprised to see their door opened. The father run in to the house. The smiling man who was sitting on the couch explained the situation. The whole family was happy that now they obtained some information on how to get a stronger door.
The guy had become a hero on the street.
(the guy also broke some vases out of accident, but it was omitted to make the story more beautiful)
Striker StrikerI forgot to check the oil pressure
Posted 11 years ago2013-03-09 18:40:58 UTC Post #312983
Wait, since when am I a hero?
Posted 11 years ago2013-03-09 20:35:04 UTC Post #312985
You interpreted ad litteram a word from an allegory( albeit not a good one, but I tried to make an example).

The idea is that, subjectively, you did a good thing and this community appreciates that you gave an impulse to Penguinboy who will work harder on the site security.
The objective truth is that, however good this impulse was, it is still unethical. Perhaps other webmasters would have had a negative reaction.

I am not against you, I agree that this is a good thing. I am pointing things out.
Striker StrikerI forgot to check the oil pressure
Posted 11 years ago2013-03-09 20:46:49 UTC Post #312986
"You interpreted ad litteram a word from an allegory" I honestly have no clue what you just said haha
Posted 11 years ago2013-03-09 21:18:35 UTC Post #312987
So the internet hasn't changed and llamas continue to drop from the sky. What a world, meh.
Posted 11 years ago2013-03-09 21:57:00 UTC Post #312988
given the prevalence of trolling and griefing culture on the internet in this day and age, this is certainly a good thing.
Posted 11 years ago2013-03-09 22:34:21 UTC Post #312989
Just read that as "I was making a metaphor", Maiku.
Jessie JessieTrans Rights <3
Posted 11 years ago2013-03-09 23:38:06 UTC Post #312992
Hi, Maiku. Welcome to TWHL. I find it a bit odd that after breaking into the site you still registered to it. I personally believe it is kind of a dick move to hack first and tell later, and I've been thinking whether it wouldn't have been better to just tell Penguinboy straight away, but I figure it wouldn't have gotten his attention as fast. So I have mixed feelings about you.

In any case, hi. I find your presence here intriguing.
Posted 11 years ago2013-03-10 00:24:51 UTC Post #312993
There are certainly better ways it could have been done, but as far as I'm concerned this was almost the best outcome. We fixed a major security hole while only suffering a small amount of damage. If the hacker was malicious then we would have been in a lot deeper trouble. But yes, I would have been a whole lot happier if I was notified a bit more discreetly :P

I'll say again that using the same password in multiple places is a really bad idea and you should change them even if the site hadn't been hacked.
Penguinboy PenguinboyHaha, I died again!
Posted 11 years ago2013-03-10 00:32:17 UTC Post #312994
By the way, are you interested in mapping, Maiku?
Striker StrikerI forgot to check the oil pressure
Posted 11 years ago2013-03-10 00:43:03 UTC Post #312995
Nah I don't really even play video games very often
You must be logged in to post a response.