PSA: FFN Spam & Malicious Javascript Code Issues

[OwlsCantRead]

Given that almost everyone who writes here crossposts to FFN, thought that I should disseminate this PSA.

For those unaware or out of the loop, there's been a whole lot of problems regarding some craziness on Fanfiction.net that have escalated very quickly over the past week.

So, context. There's this group called Critics United on that site which consist of very staunch reviewers who follow the rules of the site to the dot, and will send PMs and lengthy reviews to people who don't (like use song lyrics or whatever). This isn't about them though. This is about the people who don't like their whole attitude and stuff, leading to this "white-hat" hacker staging a protest against the group: he/she has managed to find a way to inject Javascript code into people's bios/user profile.

...which is very bad, by the way. It first started out as the code wiping and changing your own user profile to a support message of the quote-on-quote protest (which resets your user profile btw), but now the guy who staged this has added in more "features", like ensuring that mousing over infected profiles on the profile itself auto-redirects your browser to a different site.

As of the latest update about ~24 hours ago, this nearly turned very lethal, almost a site-wide hack: they were attempting to get people potentially permanently locked out of your account by clicking on a user profile infected by the bug. (Original Reddit Thread Link, what it does is it adds a backup email and then the hacker would change the password using that email to gain access to your account, changing the password and locking you out. At least, that's the way it's supposed to work in theory. It didn't work, but still, they were going to go that far.)

To keep yourself safe, DO NOT visit any user profile. (note: this means you can't send new PMs via profile) This is the only way that the virus is triggered. One wrong click on an account that has been injected and the code will execute and hijack your account (assuming the hacker doesn't find any vulnerability). The safest thing to do is to disable Javascript for the site (will break buttons on the site, however) or just log out of your FFN account, if you really want to play it safe.

People are speculating that the admins might rollback the database, so do keep a backup of whatever you have on there if they do restore the database. Given that almost everyone who posts their fanfiction there also crossposts to this site, I don't think it'll be that big of an issue if they do since all the prose has a copy on this server, but it's best to backup whatever documents you have there regardless.

But yes, tl;dr: Backup all your work on FFN offline and don't click on any user profiles.

EDIT: As of 17 hours ago, it appears that the issue has mostly been resolved in the known backdoor (user profiles), while security vulnerability in general are being patched. I think it's safe to assume the worst is over, but don't let your guard down!

[jassy]

Damn, that’s wild that they were actually willing to go that far, like woah    luckily the last time I logged into my account was to update one of my stories which was back in late September and I write all my stuff on my Microsoft Word account  before posting it elsewhere so I think I’ll be good, but still,,, thanks for the heads up!!

[Littlefoot fan 1990]

D'OH! My fanfiction profile was reset; don't know when it was; but, I didn't know that I was in for a RUDE awakening. 
Edit: I went into my profile account and noticed that my profile information was edited on October 21st 2018. Maybe I ought to log out when I'm not using the account. Damn spam.

Actually, a TRUE rude awakening would be having no internet connection.

[zero-point]

Actually, I'm not that surprised that a persistent XSS vulnerability exists on that site. Stay safe folks.

[zero-point]

I pinned the topic so it stays on top. Thanks for the heads up! Let's hope they can get this mess sorted out.

[rhombus]

Thank you for the heads up, OwlsCantRead!  I am going to warn my co-authors about this situation.  The staff at fanfiction.net has not communicated anything to us thus far.

[OwlsCantRead]

I went into my profile account and noticed that my profile information was edited on October 21st 2018. Maybe I ought to log out when I'm not using the account. Damn spam.

That was the exact day this mess started. You probably got unlucky and were hit by the script on day 1 when it was still unknown and people thought they were being hacked.

Actually, I'm not that surprised that a persistent XSS vulnerability exists on that site. Stay safe folks.

I wish I could say I was surprised too but given that the site is so old... yeah.

I pinned the topic so it stays on top. Thanks for the heads up! Let's hope they can get this mess sorted out.

The staff at fanfiction.net has not communicated anything to us thus far.

...lol. I hope so too. And I'm not surprised they didn't say anything since the site admins are notorious for radio silence. I'll probably update if/when it gets fixed for good.

Thank you for the heads up, OwlsCantRead!  I am going to warn my co-authors about this situation.

Are you warning them via FFN's PM? If so, don't send a new one since it requires you to go to their profile page! Just reply to a previous one you sent them.


There's another comprehensive post that came out a few hours ago on Reddit detailing the situation.

Here's an excerpt from that post that explains just what's happening:
XSS is a type of computer security vulnerability in web applications. It tricks a web browser into believing that the script it sends is from the trusted site instead of a third-party. On FFN, this client side-script is embedded in infected user profiles and runs when a user views an infected profile. This evolved to the script being embedded in links to infected user profiles. The script runs, accesses the user’s login information cookie, and brute forces a guess at the user’s id in order to send change requests for the profile. The script both changes the message of the profile and embeds itself in the profile in order to continue the propagation, effectively making it a worm. There are reports that simply hovering over a link to an infected profile can begin the script, which is possible, but I have not yet had the chance to verify. There is also evidence of code attempting to add a secondary email account to infected profiles, but it has not been successful thus far. This may be a single actor but is more likely to be multiple, given the number of times the scripting message and purpose has evolved, which is why this is called the CU Hacks, plural.

The CU Hacks is a client-side worm. It does not infect anything outside the FFN site. It does not infect your internet device. It is important to note that this script will run in the browser even if a user isn’t logged in when a user visits an infected profile (or possibly hovers over a link), you just can’t see the results unless you’re logged in and have a profile for the code to affect. If FFN does not act on this vulnerability, it is possible that another opportunistic actor may attempt to execute a more destructive exploit that can attempt to harm a user’s computer.

Again, to emphasize, this spreads by clicking on infected user profiles, so do not click on any user's profile until this blows over.

[OwlsCantRead]

For what it's worth Fictionpress finally issued a statement on this issue barely two hours ago.


https://twitter.com/FictionPress/status/1055293042092109827

We have plugged the current known attack vector which combined csrf attacks with a html injection bug within the user profile page when access via a web browser. App users are not effected. A security review of the entire system is underway.

According to them, the vulnerability with the XSS code injection is patched. Thus, as of now the immediate problem with profiles is solved, although I still personally think that the damage to the site's reputation has already been done...

[Ducky123]

Holy cow...

I ain't reupload all of my stories there... do you know how much work that is? Uploading an average chapter of mine (proofreading included) can take up to 2 hours.

That being said, I have not logged into ffn since this attack began (or at least I believe so, I did upload a chapter of sdp on sunday I think so just before it started...)

EDIT: Since the mobile version doesn't seem to be affected I went ahead and logged in from my phone and it seems everything is still there. Whew.

[Ducky123]

So, uhh, is it now safe to visit the site again?

[rhombus]

So, uhh, is it now safe to visit the site again?

It should be, I do believe. Though this does show the poor maintenance at fanfiction.net and the potential for future issues if their admin philosophy does not change.

[OwlsCantRead]

So, uhh, is it now safe to visit the site again?

The known vulnerability has been fixed as said in the tweet by Fictionpress. Those spam reviews are still there (because of course they are) but it's nothing more than an annoyance, the actual XSS problem in the profile has been patched -- I noticed a key difference when editing profiles, you can't have ? symbols by themselves now (at the end of the sentence still works), which mean the admin probably broke all URL links to external sites again to prevent random redirection via injections.

Perhaps the thread can be unstickied by staff lest people get the wrong idea? I already edited my initial post, but the problem has been fixed for now so there's no need to panic.

EDIT: I see Rhombus beat me to it. Yeah, I agree that it does reflect badly on the site that they let this happen for close to a week and only stepped in when the code evvolved to the point where they were attempting to do actual harm with it.