User:Pinsplash/Early July 2018 hacking incident

From Valve Developer Community
Jump to navigation Jump to search

You have probably heard about the wiki recently having a hacker attack, or maybe you saw that maintenance message. Here's what's up:

Note.pngNote:The wiki is now safe!

June 24

User:Kendyhikaru attempts and fails to put an XSS script on Help:Contents. We did not raise hell about this cause it was an obvious failure. I know, like 500 people are going to think that was dumb but. chill.

Late July 3 night

I checked Special:RecentChanges and noticed User:SuicideJoy uploading a lot of suspicious content. Immediately I asked other people about this (personal wiki discord and Thinking With Portals) because this attack seemed a lot more legitimate. User:Ficool2 and many other people investigated on virtual machines, phones, etc.

  • Whatever the images uploaded were, they didn't do anything.
  • The 100,000 bytes of text uploaded was XSS scripts that failed due to the wiki software's fairly good security features. If the scripts worked, it would have been immediately obvious because viewing the page would have created many popup messages. We have found that SuicideJoy took that stuff straight from a YouTube video.
  • Seeing the scripts did not work, SuicideJoy blanked the page and then linked to an SVG on another domain (possibly a domain they owned. the URL was to some russian hacking website). This SVG had a JavaScript script embedded in it that would attempt to load a webpage containing an infected MP4 that automatically plays. This MP4 would then send bitcoin-mining malware (sistem.exe) to a victim's computer.

At that moment, there was no site-wide threat. We started spreading word to other communities because it could have become worse, and it did. I sent an email to User:JeffLane a short time after first finding this activity.

July 4

Early morning

As we started to realize that this threat was smaller than we initially thought, some of us were calling it safe. I was aware that many communities were still waiting for Valve to confirm to anybody that the wiki was safe, so I sent a more direct email to Valve's security personnel ([email protected]).

Morning

About 45 minutes after me and others said it's safe, User:Valvedev (not SuicideJoy, unlike everyone initially taught) started uploading random things, and this time we confirmed they had working XSS. I sent yet another email to [email protected] telling them about this. As far as I know, this XSS was never used with a malicious intent.

Late evening

Valve put a site-wide redirect to a page notifying that they were doing maintenance to the wiki.

Night of July 5

Valve employee Gabe Van Engel (User:Gvengel) is seen blanking his user page. Within 4 hours of that, the maintenance notice on the wiki was removed.

So far:

  • MediaWiki software updated from 1.23.4 (a version considered OBSOLETE, released September 24, 2014) to 1.27.4 (a legacy (long term support) version, released November 14, 2017)
    Note.pngNote:The most recent wiki version is 1.31. There is a 1.32 in alpha.
  • User:SuicideJoy has not been blocked from the site.
  • I still haven't had word from anyone at Valve, and Engel is probably offline for the night.

We have users, images, and pages that need to be blocked/deleted but never have. Until just tonight, the wiki has not had any sign of life from a sysop since May 2017. Let that sink in. The wiki has not been properly managed for over a year. (I made that clear in my email to Jeff Lane, by the way.)

Early morning July 6

User:Valvedev is back, showing us his/hers bookmarks he uses for XSS scripting. I saved over that image.

TEN MINUTES AGO: Gabe Van Engel shows us another sign of life on User Talk:Gvengel. (erasing my question... replaced with "test")

We now have word from Valve that the website is safe! Matt Rhoten also emailed me back just now. He suspects Valve's HackerOne program played a role in this (and it did, as clarified below).

Notice from the Bug Bounty Researcher (Valvedev)

Hi Community Members,

This is Valvedev(https://hackerone.com/h13-). I'm a bug bounty researcher on HackerOne platform. The site https://developer.valvesoftware.com is in scope of a public Bug bounty program(https://hackerone.com/valve) which is being run by VALVE on HackerOne platform. This is only reason why I was investigating the site for vulnerabilities. I noticed that the site engine(MediaWiki) was actually obsolete(v1.23.4) and it had many HIGH vulnerabilities. To prove the exsistance of few of those vulnerabilities, I had to perform few PoC for the sake of submitting reports to Hackerone. For example, there was a Stored XSS which was in this website which was left undetected and I had to perform a simple test to show there is a stored XSS on this site(The report is already filed with Hackerone and once resolved, I will be glad to share it here).

I had submitted a couple of vulnerabilites to Hackerone between 02-07-18 to 04-07-18 and that might have triggered VALVE to update the Mediawiki engine to v1.27.3

Either way, I apologize if testing caused any panic but in literal sense, I did not spam any user nor modified any existing wikis. All I did was to create my own wikis and contents to show PoC for my Bug reports on Hackeron. For more information, you may reach VALVE developers who are running the Hackerone bug bounty program.

Cheers, Valvedev