What you need to know about the recent MangaDex data breach

Status
Not open for further replies.
is a Reindeer
VIP
Joined
Jan 24, 2018
Messages
3,231
@Letice no, lol. He'll just take the money and then sell the db for more money. It's advised to never give people ransoming money.
 
Dex-chan lover
Joined
Apr 22, 2018
Messages
440
@JPwong
Yeah so they obviously allowed admins to forego authentication using said option - which is something you never, ever, do. That's the basics of the basics. Any account with admin rights has to fully authenticate at any start of the session and if available, using 2FA, too. No storing passwords, session cookies or anything else that mitigates security. Again, that is the most basic stuff ever. This, "never try out things in prod environment" and "always have backups" are basically the first things you learn when taking your first steps in security.

I am not trying to kick them while they are down. I like this site and I do not have beef with the administration, mods or anyone else. But this was a very avoidable rookie mistake. Had there been a proper seperation like it's done properly, with staff having one account for everyday stuff that cannot do real damage, just has slightly more rights than the average user, and a second admin account that is properly secured and only used when actually needed, that would not have prevented the loss of the old data base of course, but the potential damage would have been significantly lessened.
 
Dex-chan lover
Joined
Jan 21, 2018
Messages
189
No problem, never have same password for email,forum,social media,etc.
Thx for honest info.
 
Fed-Kun's army
Joined
Jan 22, 2018
Messages
203
@Narf I don't disagree that it's bad practice, even where I work, accounts with elevated access are separated from the normal account you use to log in to do your day to day business to prevent this type of issue since it forces you to authenticate in some fashion anytime you want to use the elevated privileges. It's just that to your point, I don't think the problem is that the admin logins don't have 2FA enabled, it's that the way the site was set up having those session codes made it appear as though the user had already authenticated with 2FA, which I'm assuming may have been avoidable if the remember me option wasn't checked on login.

That issue aside, I'm sort of glad they didn't bother to do something that while less damaging to the site overall, could have been way more annoying to us end users like write a script that impersonated all the users and unfollowed all of our series. I don't think there's a way to export that feed, and the only import tool seems to still be that ancient bato.to importer.
 
Dex-chan lover
Joined
Jun 22, 2018
Messages
2,126
"10k BTC [sic] or everything goes public."

That's currently $587,337,000. This guy actually asked for HALF A BILLION DOLLARS IN RANSOM.
I think we've got our man, people...
Z7mPSLJ.jpg
 
Joined
Nov 1, 2019
Messages
4
To avoid future session hijacking, why don't we implement something to prevent it?

How about taking advantage over browser fingerprinting (keep record either browser agent strings, OS version, or anything that unique to every visitors) and use that to form an unique session ID?

This new unique session ID will be hashed and salted & stored inside the database.

If the browser fingerprint mismatch because the attacker steal the session ID & use that on different OS or browser, the server will aware of such attack & immediately invalidate those session ID.

Here are good recommendation according to OWASP to implement that:
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#detecting-session-id-anomalies
and
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#binding-the-session-id-to-other-user-properties
 
Joined
Oct 9, 2018
Messages
5
@Narf
I agree with that. Admin accounts should always have to be re-validated after an hour or so of no-use. And, as I mentioned earlier, an ip check per session would go a long way.
Both of these are easy fixes that would have prevented the site from going down with backup required.

That said, I also don't blame them super hard for not thinking heavily about the session stuff. These people are enthusiast devs/admins working for free I think? On top of that, they're mostly focusing on their v5 website which may or may not have the above improvements already implemented. It's not they have a security team that will point this stuff out, it's probably left from that 1 guy early on.

Either way, they had the backup & the passwords are hashed & salted properly so good on that.
Also, use password managers people! Never re-use passwords.

Edit: @Jpwong He's saying that the sessions should expire quickly, that there should be no "remember me" functionality for admins like you're saying at the end. Any session whether it's short or a "remember me" type, will have a session entry in the db.
 
is a Reindeer
VIP
Joined
Jan 24, 2018
Messages
3,231
@chandr1000
"Session keys used to invalidate immediately if there was any differing information between who was accessing the site and what the session correlates to.

And then we got a tooooooooonnnnn of complaints from people that they kept being logged out of the site and relaxed the invalidation restrictions since, for the most part, we are just a hobby manga site and not some bank service where it's completely imperative that the person using the account always uses the exact same device from the exact same IP and etc..."

The simple solution, is to just hash them.
 
Active member
Joined
Jul 6, 2020
Messages
69
So after this and after we have changed our email and password, can we use the "Remember Me" function again? Or is it still at risk?
Thank you.
 
Joined
Jan 16, 2021
Messages
1
Note about native in browser native password managers:


While they are very useful they are also very "

With them comes some risks;
because they are so popular that a malware might be made to get the files of the native password manager, and when that happens well… you just sweat profusely, i mean because generally i don't do dumb things on my machine i could use the chrome password manager but i don't just to be safer, i don't want my password to be leaked altogether in case one day (probably when i will be too much drunk) i decide to install a random app on my pc, the safest thing you can have is technically a password manager that let's input your decryption key but i don't even know if they exist
 
Joined
May 27, 2019
Messages
10
@Skullcrane886: See this article; basically it's a shared secret with usually limited scope and duration (ie it won't let you change your password/2fa/ other security settings, and expires after a while). That means it also needs to be stored on both ends of the connection.
 
Joined
Aug 11, 2018
Messages
1
@Plykiya

Could you make an updated post with most of the questions you have anwered on page 1?

A lot of the questions I might have are some you might already have answered and I’m 89 percent sure you’ve all ready answered what questions I could pose...


2 things I would very much like to be expanded upon though. Ofc. Only if you have the time:)

You say passwords are the only things that are comperatively “safe” and etc. Isn’t. Would you mind expanding that list to include things we should be worried about other than cross site passwords and emails?

Is there any way of knowing when the db dump the *insert colorful language* has is from?
 
Double-page supporter
Joined
Aug 15, 2020
Messages
223
Thank you for beeing transparent.

Maybe you should post a public announcement on the main page and even, dont know if you can, send an e-mail to your users regarding the incident.

I dont think many will check the forums.
 
Status
Not open for further replies.

Users who are viewing this thread

Top