User:Pinsplash/Early July 2018 hacking incident

From Valve Developer Community
< User:Pinsplash
Revision as of 07:20, 6 July 2018 by Pinsplash (talk | contribs) (rhoten email)

Jump to: navigation, search

You have probably heard about the wiki recently having a hacker attack, or maybe you saw that maintenance message. Here's what's up:

Note:The wiki is now safe!

June 24

User:Kendyhikaru attempts and fails to put an XSS script on Help:Contents. We did not raise hell about this cause it was an obvious failure. I know, like 500 people are going to think that was dumb but. chill.

Late July 3 night

I checked Special:RecentChanges and noticed User:SuicideJoy uploading a lot of suspicious content. Immediately I asked other people about this (personal wiki discord and Thinking With Portals) because this attack seemed a lot more legitimate. User:Ficool2 and many other people investigated on virtual machines, phones, etc.

  • Whatever the images uploaded were, they didn't do anything.
  • The 100,000 bytes of text uploaded was XSS scripts that failed due to the wiki software's fairly good security features. If the scripts worked, it would have been immediately obvious because viewing the page would have created many popup messages. We have found that SuicideJoy took that stuff straight from a YouTube video.
  • Seeing the scripts did not work, SuicideJoy blanked the page and then linked to an SVG on another domain (possibly a domain they owned. the URL was to some russian hacking website). This SVG had a JavaScript script embedded in it that would attempt to load a webpage containing an infected MP4 that automatically plays. This MP4 would then send bitcoin-mining malware (sistem.exe) to a victim's computer.
    Confirm:Did or did this not work?

At that moment, there was no site-wide threat. We started spreading word to other communities because it could have become worse, and it did. I sent an email to User:JeffLane a short time after first finding this activity.

July 4

Early morning

As we started to realize that this threat was smaller than we initially thought, some of us were calling it safe. I was aware that many communities were still waiting for Valve to confirm to anybody that the wiki was safe, so I sent a more direct email to Valve's security personnel (


About 45 minutes after me and others said it's safe, User:Valvedev (probably SuicideJoy on another account) started uploading random things, and this time we confirmed they had working XSS. I sent yet another email to telling them about this. As far as I know, this XSS was never used with a malicious intent.

Late evening

Valve put a site-wide redirect to a page notifying that they were doing maintenance to the wiki.

Night of July 5

Valve employee Gabe Van Engel (User:Gvengel) is seen blanking his user page. Within 4 hours of that, the maintenance notice on the wiki was removed.

So far:

  • MediaWiki software updated from 1.23.4 (a version considered OBSOLETE, released September 24, 2014) to 1.27.4 (a legacy (long term support) version, released November 14, 2017)
    Note:The most recent wiki version is 1.31. There is a 1.32 in alpha.
  • Neither User:SuicideJoy nor User:Valvedev have been blocked from the site.
  • I still haven't had word from anyone at Valve, and Engel is probably offline for the night.
  • We still do not have direct 100% confirmation that the wiki is safe. (Personally I don't think there's a site-wide threat, just don't visit any suspicious-looking pages.)

Please actually give us something Valve?

We have (fuck knows how many) users, images, and pages that need to be blocked/deleted but never have. Until just tonight, the wiki has not had any sign of life from a sysop since May 2017. Let that sink in. The wiki has not been properly managed for over a year. (I made that clear in my email to Jeff Lane, by the way.)

Early morning July 6

User:Valvedev is back, showing us his ~*oh-so-scary*~ bookmarks he uses for XSS scripting. I saved over that image. We are all watching the Recent Changes page like hawks, dude. Give it up.

TEN MINUTES AGO: Gabe Van Engel shows us another sign of life on User Talk:Gvengel. (erasing my question... replaced with "test")

We now have word from Valve that the website is safe! Matt Rhoten also emailed me back just now. He suspects Valve's HackerOne program played a role in this.

(I wonder how this might have gone without me and others monitoring closely.)