News:

Author Topic: PSA: FFN Spam & Malicious Javascript Code Issues  (Read 402 times)

0 Members and 1 Guest are viewing this topic.

OwlsCantRead

  • ^ This owl wishes on the Stone of Cold Fire that his sleep schedule isn't so awful
  • Member+
  • *
  • Posts: 229
  • So, question: can I read, or can I not read? Hm...
    • View Profile
PSA: FFN Spam & Malicious Javascript Code Issues
« on: October 24, 2018, 01:43:28 am »
Given that almost everyone who writes here crossposts to FFN, thought that I should disseminate this PSA.

For those unaware or out of the loop, there's been a whole lot of problems regarding some craziness on Fanfiction.net that have escalated very quickly over the past week.

So, context. There's this group called Critics United on that site which consist of very staunch reviewers who follow the rules of the site to the dot, and will send PMs and lengthy reviews to people who don't (like use song lyrics or whatever). This isn't about them though. This is about the people who don't like their whole attitude and stuff, leading to this "white-hat" hacker staging a protest against the group: he/she has managed to find a way to inject Javascript code into people's bios/user profile.

...which is very bad, by the way. It first started out as the code wiping and changing your own user profile to a support message of the quote-on-quote protest (which resets your user profile btw), but now the guy who staged this has added in more "features", like ensuring that mousing over infected profiles on the profile itself auto-redirects your browser to a different site.

As of the latest update about ~24 hours ago, this nearly turned very lethal, almost a site-wide hack: they were attempting to get people potentially permanently locked out of your account by clicking on a user profile infected by the bug. (Original Reddit Thread Link, what it does is it adds a backup email and then the hacker would change the password using that email to gain access to your account, changing the password and locking you out. At least, that's the way it's supposed to work in theory. It didn't work, but still, they were going to go that far.)

To keep yourself safe, DO NOT visit any user profile. (note: this means you can't send new PMs via profile) This is the only way that the virus is triggered. One wrong click on an account that has been injected and the code will execute and hijack your account (assuming the hacker doesn't find any vulnerability). The safest thing to do is to disable Javascript for the site (will break buttons on the site, however) or just log out of your FFN account, if you really want to play it safe.

People are speculating that the admins might rollback the database, so do keep a backup of whatever you have on there if they do restore the database. Given that almost everyone who posts their fanfiction there also crossposts to this site, I don't think it'll be that big of an issue if they do since all the prose has a copy on this server, but it's best to backup whatever documents you have there regardless.

But yes, tl;dr: Backup all your work on FFN offline and don't click on any user profiles. :Mo

EDIT: As of 17 hours ago, it appears that the issue has mostly been resolved in the known backdoor (user profiles), while security vulnerability in general are being patched. I think it's safe to assume the worst is over, but don't let your guard down!
« Last Edit: October 25, 2018, 07:05:11 pm by OwlsCantRead »
A quaint creature who soars when the Night Circle is highest in the dark sky, messing up his circadian rhythm in the process. Truly, a tragic flyer.

In terms of LBT, love to write stories! :)
Current Fics: Waves Crashing Upon the Sky, Five Stages of Grief, Scrambled Eggs, and Our Safe Haven.



What is a signature? A miserable pile of secrets! Enough talk... scroll down already!

jassy

  • certified member of the light fury fanclub :)
  • Member+
  • *
  • Posts: 118
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #1 on: October 24, 2018, 01:52:43 am »
Damn, that’s wild that they were actually willing to go that far, like woah  :sducky  luckily the last time I logged into my account was to update one of my stories which was back in late September and I write all my stuff on my Microsoft Word account  before posting it elsewhere so I think I’ll be good, but still,,, thanks for the heads up!! :DD
I love the rainbow faces from the bottom of my heart!

My stories:

Across The Seasons
Worlds Apart
Deliver Us
Under The Stars

Stay tuned for more!

Littlefoot fan 1990

  • Member+
  • *
  • Posts: 619
    • View Profile
    • http://vitaniandkovulover.deviantart.com/
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #2 on: October 24, 2018, 08:28:01 am »
D'OH! My fanfiction profile was reset; don't know when it was; but, I didn't know that I was in for a RUDE awakening. 
Edit: I went into my profile account and noticed that my profile information was edited on October 21st 2018. Maybe I ought to log out when I'm not using the account. Damn spam.

Actually, a TRUE rude awakening would be having no internet connection.
« Last Edit: October 24, 2018, 08:46:22 am by Littlefoot fan 1990 »

zero-point

  • Administrator
  • *
  • Posts: 205
  • I do way more things than I could fit in here :P
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #3 on: October 24, 2018, 02:21:36 pm »
Actually, I'm not that surprised that a persistent XSS vulnerability exists on that site. Stay safe folks.
"The fire flickers with possibilities, I wonder what happens if you get a little closer?"

zero-point

  • Administrator
  • *
  • Posts: 205
  • I do way more things than I could fit in here :P
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #4 on: October 24, 2018, 02:25:39 pm »
I pinned the topic so it stays on top. Thanks for the heads up! Let's hope they can get this mess sorted out. :DD

rhombus

  • Administrator
  • *
  • Posts: 5599
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #5 on: October 24, 2018, 02:29:58 pm »
Thank you for the heads up, OwlsCantRead!  I am going to warn my co-authors about this situation.  The staff at fanfiction.net has not communicated anything to us thus far.


Go ahead and check out my fanfictions, The Seven Hunters, Songs of the Hunters, and Mender's Tale
Mender's Tale.

OwlsCantRead

  • ^ This owl wishes on the Stone of Cold Fire that his sleep schedule isn't so awful
  • Member+
  • *
  • Posts: 229
  • So, question: can I read, or can I not read? Hm...
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #6 on: October 24, 2018, 06:54:31 pm »
Quote from: Littlefoot fan 1990 on October 24, 2018, 08:28:01 amI went into my profile account and noticed that my profile information was edited on October 21st 2018. Maybe I ought to log out when I'm not using the account. Damn spam.
That was the exact day this mess started. You probably got unlucky and were hit by the script on day 1 when it was still unknown and people thought they were being hacked. :sducky

Quote from: zero-point on October 24, 2018, 02:21:36 pmActually, I'm not that surprised that a persistent XSS vulnerability exists on that site. Stay safe folks.
I wish I could say I was surprised too but given that the site is so old... yeah.

Quote from: zero-point on October 24, 2018, 02:25:39 pmI pinned the topic so it stays on top. Thanks for the heads up! Let's hope they can get this mess sorted out. :DD
Quote from: rhombus on October 24, 2018, 02:29:58 pmThe staff at fanfiction.net has not communicated anything to us thus far.
...lol. I hope so too. And I'm not surprised they didn't say anything since the site admins are notorious for radio silence. I'll probably update if/when it gets fixed for good.

Quote from: rhombus on October 24, 2018, 02:29:58 pmThank you for the heads up, OwlsCantRead!  I am going to warn my co-authors about this situation.
Are you warning them via FFN's PM? If so, don't send a new one since it requires you to go to their profile page! Just reply to a previous one you sent them.



There's another comprehensive post that came out a few hours ago on Reddit detailing the situation.

Here's an excerpt from that post that explains just what's happening:
XSS is a type of computer security vulnerability in web applications. It tricks a web browser into believing that the script it sends is from the trusted site instead of a third-party. On FFN, this client side-script is embedded in infected user profiles and runs when a user views an infected profile. This evolved to the script being embedded in links to infected user profiles. The script runs, accesses the user’s login information cookie, and brute forces a guess at the user’s id in order to send change requests for the profile. The script both changes the message of the profile and embeds itself in the profile in order to continue the propagation, effectively making it a worm. There are reports that simply hovering over a link to an infected profile can begin the script, which is possible, but I have not yet had the chance to verify. There is also evidence of code attempting to add a secondary email account to infected profiles, but it has not been successful thus far. This may be a single actor but is more likely to be multiple, given the number of times the scripting message and purpose has evolved, which is why this is called the CU Hacks, plural.

The CU Hacks is a client-side worm. It does not infect anything outside the FFN site. It does not infect your internet device. It is important to note that this script will run in the browser even if a user isn’t logged in when a user visits an infected profile (or possibly hovers over a link), you just can’t see the results unless you’re logged in and have a profile for the code to affect. If FFN does not act on this vulnerability, it is possible that another opportunistic actor may attempt to execute a more destructive exploit that can attempt to harm a user’s computer.


Again, to emphasize, this spreads by clicking on infected user profiles, so do not click on any user's profile until this blows over.

OwlsCantRead

  • ^ This owl wishes on the Stone of Cold Fire that his sleep schedule isn't so awful
  • Member+
  • *
  • Posts: 229
  • So, question: can I read, or can I not read? Hm...
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #7 on: October 25, 2018, 01:06:16 am »
For what it's worth Fictionpress finally issued a statement on this issue barely two hours ago.


https://twitter.com/FictionPress/status/1055293042092109827
Quote
We have plugged the current known attack vector which combined csrf attacks with a html injection bug within the user profile page when access via a web browser. App users are not effected. A security review of the entire system is underway.

According to them, the vulnerability with the XSS code injection is patched. Thus, as of now the immediate problem with profiles is solved, although I still personally think that the damage to the site's reputation has already been done... :sducky

Ducky123

  • Ducky is not pleased, nope nope nope
  • Member+
  • *
  • Posts: 7086
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #8 on: October 25, 2018, 01:23:41 am »
Holy cow...

I ain't reupload all of my stories there... do you know how much work that is? Uploading an average chapter of mine (proofreading included) can take up to 2 hours.

That being said, I have not logged into ffn since this attack began (or at least I believe so, I did upload a chapter of sdp on sunday I think so just before it started...)

EDIT: Since the mobile version doesn't seem to be affected I went ahead and logged in from my phone and it seems everything is still there. Whew.
« Last Edit: October 25, 2018, 01:38:00 am by Ducky123 »
Note to self: finally create that signature lazy bum! :P

Ducky123

  • Ducky is not pleased, nope nope nope
  • Member+
  • *
  • Posts: 7086
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #9 on: October 30, 2018, 12:34:58 pm »
So, uhh, is it now safe to visit the site again?

rhombus

  • Administrator
  • *
  • Posts: 5599
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #10 on: October 30, 2018, 06:34:16 pm »
Quote from: Ducky123 on October 30, 2018, 12:34:58 pmSo, uhh, is it now safe to visit the site again?

It should be, I do believe. Though this does show the poor maintenance at fanfiction.net and the potential for future issues if their admin philosophy does not change.

OwlsCantRead

  • ^ This owl wishes on the Stone of Cold Fire that his sleep schedule isn't so awful
  • Member+
  • *
  • Posts: 229
  • So, question: can I read, or can I not read? Hm...
    • View Profile
Re: PSA: FFN Spam & Malicious Javascript Code Issues
« Reply #11 on: October 30, 2018, 06:37:37 pm »
Quote from: Ducky123 on October 30, 2018, 12:34:58 pmSo, uhh, is it now safe to visit the site again?
The known vulnerability has been fixed as said in the tweet by Fictionpress. Those spam reviews are still there (because of course they are) but it's nothing more than an annoyance, the actual XSS problem in the profile has been patched -- I noticed a key difference when editing profiles, you can't have ? symbols by themselves now (at the end of the sentence still works), which mean the admin probably broke all URL links to external sites again to prevent random redirection via injections.

Perhaps the thread can be unstickied by staff lest people get the wrong idea? I already edited my initial post, but the problem has been fixed for now so there's no need to panic.

EDIT: I see Rhombus beat me to it. :p Yeah, I agree that it does reflect badly on the site that they let this happen for close to a week and only stepped in when the code evvolved to the point where they were attempting to do actual harm with it.
« Last Edit: October 30, 2018, 06:40:04 pm by OwlsCantRead »