What you need to know about the recent MangaDex data breach
- Thread starter Plykiya
- Start date
- Status
Dex-chan lover
- Joined
- Apr 22, 2018
- Messages
- 437
@JPwong
Yeah so they obviously allowed admins to forego authentication using said option - which is something you never, ever, do. That's the basics of the basics. Any account with admin rights has to fully authenticate at any start of the session and if available, using 2FA, too. No storing passwords, session cookies or anything else that mitigates security. Again, that is the most basic stuff ever. This, "never try out things in prod environment" and "always have backups" are basically the first things you learn when taking your first steps in security.
I am not trying to kick them while they are down. I like this site and I do not have beef with the administration, mods or anyone else. But this was a very avoidable rookie mistake. Had there been a proper seperation like it's done properly, with staff having one account for everyday stuff that cannot do real damage, just has slightly more rights than the average user, and a second admin account that is properly secured and only used when actually needed, that would not have prevented the loss of the old data base of course, but the potential damage would have been significantly lessened.
Yeah so they obviously allowed admins to forego authentication using said option - which is something you never, ever, do. That's the basics of the basics. Any account with admin rights has to fully authenticate at any start of the session and if available, using 2FA, too. No storing passwords, session cookies or anything else that mitigates security. Again, that is the most basic stuff ever. This, "never try out things in prod environment" and "always have backups" are basically the first things you learn when taking your first steps in security.
I am not trying to kick them while they are down. I like this site and I do not have beef with the administration, mods or anyone else. But this was a very avoidable rookie mistake. Had there been a proper seperation like it's done properly, with staff having one account for everyday stuff that cannot do real damage, just has slightly more rights than the average user, and a second admin account that is properly secured and only used when actually needed, that would not have prevented the loss of the old data base of course, but the potential damage would have been significantly lessened.
- Joined
- May 6, 2019
- Messages
- 205
Good thing my account isn't linked to real life identity.
Active member
- Joined
- Jan 22, 2018
- Messages
- 195
@Narf I don't disagree that it's bad practice, even where I work, accounts with elevated access are separated from the normal account you use to log in to do your day to day business to prevent this type of issue since it forces you to authenticate in some fashion anytime you want to use the elevated privileges. It's just that to your point, I don't think the problem is that the admin logins don't have 2FA enabled, it's that the way the site was set up having those session codes made it appear as though the user had already authenticated with 2FA, which I'm assuming may have been avoidable if the remember me option wasn't checked on login.
That issue aside, I'm sort of glad they didn't bother to do something that while less damaging to the site overall, could have been way more annoying to us end users like write a script that impersonated all the users and unfollowed all of our series. I don't think there's a way to export that feed, and the only import tool seems to still be that ancient bato.to importer.
That issue aside, I'm sort of glad they didn't bother to do something that while less damaging to the site overall, could have been way more annoying to us end users like write a script that impersonated all the users and unfollowed all of our series. I don't think there's a way to export that feed, and the only import tool seems to still be that ancient bato.to importer.
- Joined
- Jun 10, 2020
- Messages
- 15
You guys have had it really rough recently, thank you for all that you do!
- Joined
- Jul 5, 2020
- Messages
- 1
Thank you for doing the correct thing and being transparent about it (once it was safe to do so).
Dex-chan lover
- Joined
- Jun 22, 2018
- Messages
- 2,098
That's currently $587,337,000. This guy actually asked for HALF A BILLION DOLLARS IN RANSOM.
I think we've got our man, people...
- Joined
- Nov 1, 2019
- Messages
- 4
To avoid future session hijacking, why don't we implement something to prevent it?
How about taking advantage over browser fingerprinting (keep record either browser agent strings, OS version, or anything that unique to every visitors) and use that to form an unique session ID?
This new unique session ID will be hashed and salted & stored inside the database.
If the browser fingerprint mismatch because the attacker steal the session ID & use that on different OS or browser, the server will aware of such attack & immediately invalidate those session ID.
Here are good recommendation according to OWASP to implement that:
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#detecting-session-id-anomalies
and
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#binding-the-session-id-to-other-user-properties
How about taking advantage over browser fingerprinting (keep record either browser agent strings, OS version, or anything that unique to every visitors) and use that to form an unique session ID?
This new unique session ID will be hashed and salted & stored inside the database.
If the browser fingerprint mismatch because the attacker steal the session ID & use that on different OS or browser, the server will aware of such attack & immediately invalidate those session ID.
Here are good recommendation according to OWASP to implement that:
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#detecting-session-id-anomalies
and
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#binding-the-session-id-to-other-user-properties
- Joined
- Oct 9, 2018
- Messages
- 5
@Narf
I agree with that. Admin accounts should always have to be re-validated after an hour or so of no-use. And, as I mentioned earlier, an ip check per session would go a long way.
Both of these are easy fixes that would have prevented the site from going down with backup required.
That said, I also don't blame them super hard for not thinking heavily about the session stuff. These people are enthusiast devs/admins working for free I think? On top of that, they're mostly focusing on their v5 website which may or may not have the above improvements already implemented. It's not they have a security team that will point this stuff out, it's probably left from that 1 guy early on.
Either way, they had the backup & the passwords are hashed & salted properly so good on that.
Also, use password managers people! Never re-use passwords.
Edit: @Jpwong He's saying that the sessions should expire quickly, that there should be no "remember me" functionality for admins like you're saying at the end. Any session whether it's short or a "remember me" type, will have a session entry in the db.
I agree with that. Admin accounts should always have to be re-validated after an hour or so of no-use. And, as I mentioned earlier, an ip check per session would go a long way.
Both of these are easy fixes that would have prevented the site from going down with backup required.
That said, I also don't blame them super hard for not thinking heavily about the session stuff. These people are enthusiast devs/admins working for free I think? On top of that, they're mostly focusing on their v5 website which may or may not have the above improvements already implemented. It's not they have a security team that will point this stuff out, it's probably left from that 1 guy early on.
Either way, they had the backup & the passwords are hashed & salted properly so good on that.
Also, use password managers people! Never re-use passwords.
Edit: @Jpwong He's saying that the sessions should expire quickly, that there should be no "remember me" functionality for admins like you're saying at the end. Any session whether it's short or a "remember me" type, will have a session entry in the db.
- Joined
- Jan 24, 2018
- Messages
- 3,231
@chandr1000
"Session keys used to invalidate immediately if there was any differing information between who was accessing the site and what the session correlates to.
And then we got a tooooooooonnnnn of complaints from people that they kept being logged out of the site and relaxed the invalidation restrictions since, for the most part, we are just a hobby manga site and not some bank service where it's completely imperative that the person using the account always uses the exact same device from the exact same IP and etc..."
The simple solution, is to just hash them.
"Session keys used to invalidate immediately if there was any differing information between who was accessing the site and what the session correlates to.
And then we got a tooooooooonnnnn of complaints from people that they kept being logged out of the site and relaxed the invalidation restrictions since, for the most part, we are just a hobby manga site and not some bank service where it's completely imperative that the person using the account always uses the exact same device from the exact same IP and etc..."
The simple solution, is to just hash them.
- Joined
- Nov 1, 2019
- Messages
- 4
Active member
- Joined
- Jul 6, 2020
- Messages
- 68
So after this and after we have changed our email and password, can we use the "Remember Me" function again? Or is it still at risk?
Thank you.
Thank you.
- Joined
- Jan 16, 2021
- Messages
- 1
Note about native in browser native password managers:
While they are very useful they are also very "
With them comes some risks;
because they are so popular that a malware might be made to get the files of the native password manager, and when that happens well… you just sweat profusely, i mean because generally i don't do dumb things on my machine i could use the chrome password manager but i don't just to be safer, i don't want my password to be leaked altogether in case one day (probably when i will be too much drunk) i decide to install a random app on my pc, the safest thing you can have is technically a password manager that let's input your decryption key but i don't even know if they exist
While they are very useful they are also very "
With them comes some risks;
because they are so popular that a malware might be made to get the files of the native password manager, and when that happens well… you just sweat profusely, i mean because generally i don't do dumb things on my machine i could use the chrome password manager but i don't just to be safer, i don't want my password to be leaked altogether in case one day (probably when i will be too much drunk) i decide to install a random app on my pc, the safest thing you can have is technically a password manager that let's input your decryption key but i don't even know if they exist
@Skullcrane886: See this article; basically it's a shared secret with usually limited scope and duration (ie it won't let you change your password/2fa/ other security settings, and expires after a while). That means it also needs to be stored on both ends of the connection.
- Joined
- Jan 24, 2018
- Messages
- 3,231
@Ser_Walker You're fine to use it.
@Plykiya
Could you make an updated post with most of the questions you have anwered on page 1?
A lot of the questions I might have are some you might already have answered and I’m 89 percent sure you’ve all ready answered what questions I could pose...
2 things I would very much like to be expanded upon though. Ofc. Only if you have the time
You say passwords are the only things that are comperatively “safe” and etc. Isn’t. Would you mind expanding that list to include things we should be worried about other than cross site passwords and emails?
Is there any way of knowing when the db dump the *insert colorful language* has is from?
Could you make an updated post with most of the questions you have anwered on page 1?
A lot of the questions I might have are some you might already have answered and I’m 89 percent sure you’ve all ready answered what questions I could pose...
2 things I would very much like to be expanded upon though. Ofc. Only if you have the time
You say passwords are the only things that are comperatively “safe” and etc. Isn’t. Would you mind expanding that list to include things we should be worried about other than cross site passwords and emails?
Is there any way of knowing when the db dump the *insert colorful language* has is from?
Double-page supporter
- Joined
- Aug 15, 2020
- Messages
- 220
Thank you for beeing transparent.
Maybe you should post a public announcement on the main page and even, dont know if you can, send an e-mail to your users regarding the incident.
I dont think many will check the forums.
Maybe you should post a public announcement on the main page and even, dont know if you can, send an e-mail to your users regarding the incident.
I dont think many will check the forums.
- Status
Similar threads
- Suggestion
