Creative Commons license icon

Fur Affinity restoring from six-day-old backups after server compromised; site source code distributed at BLFC

Edited as of Wed 1 Jun 2016 - 08:39
Your rating: None Average: 3.6 (25 votes)

Fur Affinity has been "pulled offline temporarily" after users' accounts and submissions went missing.

Update (21 May): FA returned for a day, but is now in read-only mode. Passwords were said to be hashed and salted, but if you've used the same one elsewhere, now is the time to change it to be unique per-site.

Update 2 (23 May): Fur Affinity has returned; however, all passwords have been reset, which is causing problems for those with an old/invalid email address.

It has been confirmed that an exploit was used to copy Fur Affinity's source code, later distributed at Biggest Little Fur Con. A subsequent attack deleted user profiles, submissions, and watches.

FA users took to Twitter and the Fur Affinity Forums looking for answers – which appeared to have been preemptively provided by a post asking "What would you do if you found an exploit on FA?", posted last Sunday on the Phoenixed Forums. However, more recent posts by the original poster disclaim responsibility.

The recent "ImageTragick" vulnerability in widely-used processing library ImageMagick was soon turned into an exploit and has been identified by FA as the original attack vector.

Fur Affinity community manager Dragoneer reports that backups exist, but are six days old:

The majority [of the site's data is secure], yes. The backup we have is 6 days old. We're still going through and trying to determine the extent of the issue, and once we have more information, we'll post it publicly and give a full, transparent run down of what happened.

Staff have since "restored a majority of the content which was lost" and are continuing their security audit.

Traffic on Inkbunny and Weasyl spiked 40% on the news, while Furry Network removed its invite requirement for registration earlier today.

FA is offline

Fur Affinity source code USB drive

Somebody got the source code through the ImageTragick exploit (which we patched on May 5th). We assume they put them on flash drives and distributed them out, or left them in public places hoping for them to be found. We don't really have any other information.

On of the BLFC security staffers found the drives and notified and FAU staffer who was at the con, and we were able to get a copy of the contents sent over via Skype to start analyzing.

Flash drive said by Dragoneer to contain Fur Affinity source code. Several were found at BLFC.

Comments

Your rating: None Average: 3.3 (10 votes)

Here's a little ditty I composed on a different site.

"FA gets pushed up!
Then it falls down again.
You're never gonna keep it up.
It gets pushed up.
Then it falls down again.
You're never gonna keep it up."

"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

Your rating: None Average: 4.8 (5 votes)

the reason furry network removed their invite feature today is because they had a launch party at BLFC.

https://twitter.com/BiggestLittleFC/status/731204146779410432

Your rating: None Average: 3 (4 votes)

http://forums.furaffinity.net/threads/5-17-site-attack.1530523/

FurAffinity notes that FA's site code was being handed around on USBs.

Your rating: None Average: 3 (4 votes)

I'm gonna have to doc you a point for the headline GreenReaper. The thread you linked to seems to claim it was just coincidental timing for their inquiry.

Your rating: None Average: 3 (4 votes)

It appeared to be at the time, but as you say, it's now claimed to be a completely different exploit.
Breaking news! Updated the article an hour ago, will tweak the title too.

Your rating: None Average: 5 (3 votes)

Based on the information available, I'm betting that the leaked source code included connection strings that let someone connect directly to their database and start dropping tables. It's possible that there were other ways in, but this would definitely be the quickest.

What that means is that the database server is not using a whitelist or VPN - it's just right out in the open for anyone with the right credentials to jump in and wreak havoc. This was a big disaster waiting to happen.

As soon as the staff learned that source code had leaked, they should have reacted immediately by changing passwords and limiting database access.

In the FAF thread, when someone pointed out that FA's history of insecurity is no secret and staff should have long ago allocated resources to setting up daily backups and a "full security audit" of their system, Dragoneer naturally passed off the blame to the ImageMadgick exploit. Yes, the same one that he JUST claimed had already been patched before the attack. ¯\_(ツ)_/¯

Your rating: None Average: 5 (5 votes)

Trusting Dragoneer to deliver accurate and timely cybersecurity incident news is like trusting a 5-year old to pilot a jetliner filled with people. It is far too early to say if data is safe. Don't even get me started on Dragoneer's definition of Transparency.

Your rating: None Average: 5 (3 votes)

Website Transparency:

Using PNG files with an alpha channel.

Your rating: None Average: 4 (3 votes)

If the source code was open source, there would be no need to make it public through shady means

Your rating: None Average: 4.7 (3 votes)

Right, but releasing existing code that has multiple contributors as Open Source is usually a difficult task.

Sadly the one attempt to rewrite FA as Open Source didn't go anywhere.

Your rating: None Average: 5 (4 votes)

There have been at least five attempts to recode FA, many of which were open source promised.

Not one. :D

Your rating: None Average: 2 (3 votes)

It reminds one of the Dallas Airport's baggage system. Some errors just did not respond to debugging over & over. Repeatedly it would throw luggage against the walls. Finally, with substantial delays in opening the airport already resulting, they scrapped the entire program and the airport opened with workers carrying the baggage by hand. That despite the ads emphasizing computerized baggage handling.

Your rating: None Average: 3 (3 votes)

The timing of the Phoenixd thread seems very conincidental, and of course the original poster would claim that he didn't do it. I'm not saying someone from Phoenixd did it, but saying "I didn't do it" does put a person above suspicion

Your rating: None Average: 3 (3 votes)

*doesn't

Your rating: None Average: 5 (3 votes)

It's a good thing I am pretty much a nobody on FA at this point. Guess that raises the chances of my account being untouched. On May 15th it was still there at least.

Well, I'll be...

Your rating: None Average: 5 (3 votes)

I've been locked out of mine for... four years? Maybe hackers will let me back in and see what messages I got.

"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

Your rating: None Average: 1.3 (3 votes)

That quote was made in the anti-McCarthy fantasy, the Investigator. My father had a 33rp LP which I now own.
McCarthy dies in a plane crash, and in heaven, assumes control of the Investigative Committee , to determine newcomers' fitness to live there. He opens a re-inbestigation perceiving corruption & laxness on the part of St.Peter, the gatekeeper. A great number of people get thrown out of heaven, until the Devil complains of all these people banished to his realm -and causing no end of trouble with their agitation.

Your rating: None Average: 5 (3 votes)

Well, looks like my account is untouched.

Well, I'll be...

Your rating: None Average: 3.8 (5 votes)

Extremely important update: FA passwords have been compromised! Many furries reporting that offsite accounts have had attempts:

https://twitter.com/theMainKitteh/status/733740991505567744

https://twitter.com/loudjill/status/733673972194287616

https://twitter.com/Kalmor_Isvaeng/status/733654981786636288

Your rating: None Average: 5 (4 votes)

Call me a jerk but good. People need to move off of that hole riddled site already.

Your rating: None Average: 5 (6 votes)

It's not that FA is a bad site, but Dragoneer is doing a piss poor job of handling things. A lot of furries I spoke to would like him to resign in favor of someone else that's more capable of doing a better job.

Your rating: None Average: 3 (4 votes)

Fur Affinity has returned, having reset all passwords, added a CAPTCHA, and reduced the access of their database user, along with various other security tweaks. The first of these has caused sign-in problems for users with old or throwaway email addresses, while the second has broken importers such as FA2IB and Furry Network's integrated importer.

Oh, and Motherboard noticed, so there's that.

Your rating: None Average: 3 (4 votes)

As a public service announcement, I can confirm there is a deep web site where anyone can find any FurAffinity user's email address by typing in their account name.

I won't name the site of course, as it's a security issue and can be used to harass people, just know I can confirm that it exists and it is legitimate...

Your rating: None Average: 3.5 (4 votes)

"Dragoneer does __________, Weasyl traffic spikes"

I know history repeats itself, but "furry history" seems to be in some Star Trek style temporal loop!

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <img> <b> <i> <s> <blockquote> <ul> <ol> <li> <table> <tr> <td> <th> <sub> <sup> <object> <embed> <h1> <h2> <h3> <h4> <h5> <h6> <dl> <dt> <dd> <param> <center> <strong> <q> <cite> <code> <em>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This test is to prevent automated spam submissions.
Leave empty.

About the author

GreenReaper (Laurence Parry)read storiescontact (login required)

a developer, editor and Kai Norn from London, United Kingdom, interested in wikis and computers

Small fuzzy creature who likes cheese & carrots. Founder of WikiFur, lead admin of Inkbunny, and Editor-in-Chief of Flayrah.