1

Topic: hacKeD??

hey guys..
I just found a very serious bug in your site,
and it helped me dumping the whole database of nextepisode,
including forum's.
I just want to make sure you guys are running it secure..

for P.O.C

[img removed by santah / showing private emails]

cracked passwds just for fun, nothing harmed

[img removed by santah / showing parts of passwords]

I want you guys to fix this bug, and I can help you in it.
I'm not harming anything, and I won't be.
and yeah, this is not my account here, just stole it from database.
for contact: [email protected]

2

Re: hacKeD??

Okay, it's a good thing to find weaknesses so they can be fixed. But it could lead to a lot of visitor loss for a website. Isn't it better to discuss these sort of things directly with the admin instead of posting it here?

I think users should know that their data has been in other hands. But shouldn't the admin of the site get a chance to break the news?

I for one am happy that this happened if that means the site will be safe from this kind of stuff in the future and nothing harmful has been done.

Or is this some hoax? How come no one has responded to this yet?

3 (edited by Keisu 2014-03-20 02:47:39)

Re: hacKeD??

Probably no hoax. It's common enough. It's easy to miss security flaws when developing even if you are security aware.

https://next-episode.net/sig/sig.php?alias=default&k=0ef7e7de42c02d531b7c2d0f913cc132&user=Keisu

4

Re: hacKeD??

I'm on it.

I contacted the guy, will let you guys know once I have more info.

5

Re: hacKeD??

I can't believe we were hacked, I thought we lived in a TV bubble where we were safe smile

6 (edited by RoboticMonkey 2014-03-20 19:21:34)

Re: hacKeD??

Oh dear now i must change my 7 years old password smile

7

Re: hacKeD??

Keisu wrote:

Probably no hoax. It's common enough. It's easy to miss security flaws when developing even if you are security aware.

true story!.
there is nothing secure on the internet, and Humans make mistakes tongue

santah wrote:

I'm on it.

I contacted the guy, will let you guys know once I have more info.

Well Thanks for contacting me in regards to this. and I'm glad that you take it positively mate!.

Katy wrote:

I can't believe we were hacked, I thought we lived in a TV bubble where we were safe smile

Sir, Don't believe it, You should keep enjoying in your super cool fantasy World!, You are Awesome. I apologize I bothered You!!!!.  Mr Sonah, You Admin is a cool guy,

madboobs wrote:

Oh dear now i must change my 7 years old password smile

7 years Old password? Really :-o :-o...

Oh dear, You should have changed it 6 years 11 months earlier,
A password is a thing you should always keep updated. at least once in a month.

     
               never mess with a guy who has root on your b0x.
                                                                                                           wink
                                                                                                                   http://sqligods.com

8

Re: hacKeD??

So, that's our hacker guy right here smile (pointing to the post above)

To update:

We exchanged a couple of emails. What he said pretty much confirmed what I was able to discover from my logs:

- only the forum user data was dumped, site accounts and other data weren't downloaded at all (and even if they were, they have stronger protection than the forum accounts)
- forum user passwords are crackable (even though they ain't plaintext) so you should change 'em
- the flaw that allowed for the attack was what I thought it was and is fixed. That doesn't mean we're safe forever, and I'll try and find other similarly vulnerable points on the site in the coming days.

Basically, the guy who attacked us ain't evil, and we're a bit safer after this. Change your passwords, but you have to do it anyway, so it's a good excuse smile

9

Re: hacKeD??

madboobs wrote:

Oh dear now i must change my 7 years old password smile

Same here well 4 year forum password, I was late to the forums smile

10

Re: hacKeD??

I only changed my 3 months ago.  Oh well.
I don't even know what my password is.  I do know its a randomly generated 32 character one.  big_smile

DRM "manages access" in the same way that Prison "manages freedom".
http://xkcd.com/488/

11

Re: hacKeD??

I probably shouldn't admit this, especially since my password's already out there, but I use similar passwords for everything, and probably haven't changed it in over a decade. I figure what's more likely, someone breaks into my house and finds this months list of passwords since I can't remember them all, or someone picks me out of an list of users from an insecure database, somehow figures out where else I've been, and manages to guess the way I alter the 'base password' for each site?

I haven't got anything worth stealing anyway.

12

Re: hacKeD??

PaulBags wrote:

I haven't got anything worth stealing anyway.

I thought so too, until my e-mail account started sending spam everywhere.

Now I use 4 passwords, 1 for not important websites, 1 for fishy websites, 1 for important ones and a variation of 1 for paypal, online banking etc.

13

Re: hacKeD??

I used to have 3 passwords:
1. supereasy generic password for not important websites
2. medium password for the sites that required more secure phrase
3. long and hard to guess yet still easy to memorize for more important sites

Then I started using lastpass. Very useful, free extension for all major browsers. It can generate secure passwords and remembers them for you and syncs them among your devices. All you have to remember is the master password. Now more and more of my passwords are complying with reasonable security standards.

http://i1052.photobucket.com/albums/s450/Osiris_Wesir/worthwatch_zpsb42c769a.jpg

14

Re: hacKeD??

pablo-pancho wrote:

Then I started using lastpass. Very useful, free extension for all major browsers. It can generate secure passwords and remembers them for you and syncs them among your devices. All you have to remember is the master password. Now more and more of my passwords are complying with reasonable security standards.

I use 1Password, its a paid for app, but does the same thing
So much better

DRM "manages access" in the same way that Prison "manages freedom".
http://xkcd.com/488/

15

Re: hacKeD??

12345, thats amazing, i have the same combination on my luggage.

"city morgue, you kill em, we chill em"

16

Re: hacKeD??

So it's possible that someone (a "hacker") could log in as me....Gargamel, and change my favourite shows to reality tv trash and Honey Boo-Boo, that's diabolical!!!!! lol

17 (edited by madcodE 2014-03-22 13:32:46)

Re: hacKeD??

well its not really a good idea to use some app or extensions to save your passwords.
you might have no idea how dangerous it could be. The application might be saving your passwords and other personal information and sending it to someone else.
Why I'm telling you guys about it  and How come I know about this things,  because probably a year ago, I coded an application like this which was already connected with a back end database (won't mention name here but I had put it offline).
So, Just not trust any applications like password wallets tongue

./madcodE

     
               never mess with a guy who has root on your b0x.
                                                                                                           wink
                                                                                                                   http://sqligods.com

18

Re: hacKeD??

Gargamel wrote:

So it's possible that someone (a "hacker") could log in as me....Gargamel, and change my favourite shows to reality tv trash and Honey Boo-Boo, that's diabolical!!!!! lol

If i was logged in as you i would only change your avatar to Gargamel of the tv show The Smurfs tongue.

19

Re: hacKeD??

I am just going to throw this here: https://www.youtube.com/watch?v=8ZtInClXe1Q

Pretty good overview on how passwords are stored for the laymen.

20

Re: hacKeD??

Thing I don't get is why people still use the term "password", I've had 'pass phrases' for years, and it changes with every single site I'm a member of...

One of the best things I've seen for secured 'passwords' its to have it in three sections (obviously some sites don't allow a part of this which is annoying)

1) A few words culminating in a short sentence, using upper and lower case alpha numeric symbols, something meaningful to you.
2) A forward slash, hyphen or other dividing character (supported by the site you're on that is).
3) A site specific suffix (never reused anywhere else), mix upper and lower case letters and use numbers here too.

So you end up with something like;

Cr33persRea11yL0veM3/MC

If this were a real password I'd have used it for a mojang account for example... change the /MC to /hml for hotmail for example and so on...

Using this style of password I've never had a hijacked account... Just a thought for people who may be wanting to change passwords regarding this.

https://next-episode.net/sig/sig.php?alias=default&kk=235f2f1ae70eb30963db30b6f68c97ed

21

Re: hacKeD??

The password that I mostly use has two words that have no realtion to eachother with one of the letters replaced with a number plus a special charachter. For example 'HammerCarr0t@' or 'T0matoPenci1l!'

If I were to use a more complex password I would have to keep a log of them in a book near my pc...

...where did I put that rat's ass I could give?

Daemons are benevolent or benign nature spirits, beings of the same nature as both mortals and gods, similar to ghosts, chthonic heroes, spirit guides, forces of nature or the gods themselves.

22

Re: hacKeD??

My only question is - who hacked publichd? It's my favorite site for free torrents. tongue

https://next-episode.net/sig/sig.php?alias=default&kk=f2966a511fdd8bb4a428730b3f318478