Forum Security Advisory

Discussion in 'Bukkit News' started by Kaelten, Dec 7, 2015.

Thread Status:
Not open for further replies.
  1. Offline

    ChipDev

    You guys are developers!
    Its simple to make a password storing app, just if it is accessible for yourself.
    EDIT:
    Got an email from Curse.
     
  2. Offline

    Tecno_Wizard

    @ChipDev keepass is a thousand times more secure than what we could create. Even with direct access to the database it is nearly impossible to decrypt a SSH-256 bit encryption.
     
    Last edited: Dec 10, 2015
  3. Offline

    Mrs. bwfctower

    And.. you haven't changed your passwords? If I got a message that my accounts were being logged in to by somebody other than me, I'd change the passwords first thing.
     
    bwfcwalshy likes this.
  4. Offline

    craftedbyman

    So no other curse sites are affected by this? I have an account, (same password (I think) and username) on Minecraft Forums
     
  5. Offline

    timtower Administrator Administrator Moderator

    @craftedbyman I think that it would be better if you change both passwords just to be safe.
     
  6. Offline

    craftedbyman

    @timtower yea I was just about to. Is there anyway to see activity logs of recent logins of my account on this site?
     
  7. Offline

    timtower Administrator Administrator Moderator

    @craftedbyman Curse can do that I think, but they didn't do anything. Not that I can see at least.
    That they have your data doesn't mean that they also use it right away.
     
  8. Offline

    lol768

    Good news! There's probably nothing stopping exactly the same sort of admin account compromise happening on http://www.minecraftforum.net/ since it too is served over plaintext by default.
     
    mbaxter likes this.
  9. Offline

    Necrodoom_V2

    @lol768 Now this is just getting ridiculous.
     
  10. Offline

    SirFaizdat

    Well, they are old accounts and not even I have the password to those. I realized I changed my Bukkit password a long time ago, so the two incidents are unrelated.
     
  11. Offline

    Kaelten

    MCF is hosted on different technologies and requires 2FA for all admins and moderators. If a compromise was made to the control panel the surface area of attacks possible on that software is _much_ smaller. Functions like editing the login template is not possible in that software. Regardless of the lower risk, that team is also working to implement full SSL logins.
     
  12. Offline

    teej107

    So are you going to start requiring it for them on here too?
     
    Mrs. bwfctower likes this.
  13. Offline

    Mrs. bwfctower

    And will there be an option for regular users like me to use 2FA?
    @Kaelten
     
  14. Offline

    BuckitWorker

    What if it's HIS account that's been hacked and if we change our passwords the hacker will get them?!?!
     
  15. Offline

    Saphiria_

    Why would you not require your admins to use two-factor authentication?
     
  16. Offline

    Bobcat00

    Could you please clarify if they captured usernames, email addresses, or both?
    Thank you.
     
  17. Offline

    mrCookieSlime

    The data entered in the login form was captured.
    Since you can login with your Username as well as your email adress, it would depend on what you used to login during that timeframe.
     
  18. Offline

    Bobcat00

    Thank you. At least they couldn't take over my Minecraft account, because I only use my username when logging in here and my Mojang account requires the email address to login.

    I assume this security breach is the reason for the login issues that surfaced in October. What's disappointing is that the forum admins didn't bother to investigate what was causing the problem.
     
  19. Offline

    Tecno_Wizard

    @Bobcat00 sorry but that bug is still there. The forum has been compromised since August. Curse suspects a man in the middle attack while they were at minecon
     
  20. Offline

    Mrs. bwfctower

    Man, that was ages ago.
     
  21. Offline

    mrCookieSlime

    Source?
     
    timtower likes this.
  22. Offline

    lol768

    2FA would not have prevented this account compromise.
     
    bwfcwalshy likes this.
  23. Offline

    LaughNgamez

    Multiple attempts to log into my accounts with the released information. This has been one hell of a headache.
     
  24. Offline

    Saphiria_

    Has everyone gotten this email, or did only the breached get it? Ugh...
     
  25. Offline

    Necrodoom_V2

    @Saphiria_ Doesnt matter; Change your passwords.
     
    teej107 likes this.
  26. Offline

    AmShaegar

    Warning! Looks like the attack is still in place!

    I couldn't find proof of it yet but I am sure. I read about the incident in the news and thought it was fixed. Then I logged into DevBukkit to answer a comment. Not long after I was disrupted when someone from Amsterdam connected to my computer using Teamviewer. Stupid me, I used the same credentials there.

    Please have a look at https://dev.bukkit.org/home/login/

    This is the IP the attacked used to connect through Teamviewer: REDACTED
     
    Last edited by a moderator: Dec 28, 2015
  27. Offline

    timtower Administrator Administrator Moderator

    @AmShaegar People are looking into it, can't find anything from a quick skim though.
     
  28. Offline

    AmShaegar

    @timtower Me neither. But it would be an enormous coincidence if they got my credentials otherwise.

    Edit: Just recognized: I used my phone when answering that comment on dev bukkit. But I doubt an attack would be limited to mobile logins only.
     
  29. Offline

    timtower Administrator Administrator Moderator

    @AmShaegar Bukkit has no mobile platform, so that can't be the issue.
    .
     
  30. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    That doesn't prevent a malicious party from injecting code that only appears to potential victims when certain criteria (like a mobile browser, where viewing source is less common) are met.
     
Thread Status:
Not open for further replies.

Share This Page