FA-2011-11-001 - privilege escalation from user to administrator

[Pi]

For a short time this morning, FA was displaying some image in the "Administrator notice" panel.

The image was from user violet8. Checking their account, the account claimed to be an administrator account. Shortly after the cool old photo went away some new buttons popped up at the top next to the control panel labeled Administration and Debug. The Debug button output a bunch of info at the bottom of the page, and the Admin button asked for a password, which was just too tempting. Oh, also, all shouts had a Remove Shout button beneath them, which then also asked for admin username and password.

violet8 is no longer listed as an administrator, and just posted a journal acknowledging some sort of incident.

The user is now suspended (as is usual (and stupid)). The journal contents:

Dear Journal, furaffinity is fairly well hardened, and has decent incident response when you display an image on the homepage for a second.

Of course, I'd argue with that. We'll see how badly they actually handle this incident.

[Conan]

Dragoneer claims an admin account was compromised in the process, and that Yak's "fix" at requiring "secondary authentication" (a different password!) to log in to the admin panel didn't work/had a "loophole" that makes it sound like it never worked as he claimed.

We found out what happened. An admin's account was compromised, and a loophole that affected a subdomain let the person access the admin panel for a brief time. We've fixed the hole...

[Jim Demintia]

What I find ironic about all of this is that it seems, of all the "incidents" they've had over the past year or two, the vast majority of them start with an admin account being compromised. Seems to me, if they can't actually do the Right Thing and fix the holes/rewrite the code base, they could stop exploitation of many of these holes, especially some of the worst ones, by just ensuring admin accounts didn't get compromised in the first place. Which is not hard to do and could be bolted on top of the existing code base, in some cases with no changes to the code at all.

It's not a fix, it's not a solution, but it's gets halfway to mitigating the bad shit that results from these holes.

[Xipoid]

What I find ironic about all of this is that it seems, of all the "incidents" they've had over the past year or two, the vast majority of them start with an admin account being compromised. Seems to me, if they can't actually do the Right Thing and fix the holes/rewrite the code base, they could stop exploitation of many of these holes, especially some of the worst ones, by just ensuring admin accounts didn't get compromised in the first place. Which is not hard to do and could be bolted on top of the existing code base, in some cases with no changes to the code at all.

It's not a fix, it's not a solution, but it's gets halfway to mitigating the bad shit that results from these holes.

I actually wonder that myself, and it makes me curious about a somewhat related topic. I can't recall anyone (from my limited view within the forum admin forums) ever talking about getting more coders (and maybe I need to look harder). Not just more coders, but more able coders in the sense of having significant time to dedicate. No offense to yak, but it seems like he's a busy guy, so why is he the only coder? Is he the only coder? If he is the only coder, why don't we find some more? If we don't need more, then what's with all these security issues? Is the limited staff, coding or otherwise, to blame for the slow release times? If so, why isn't that rectified? Do Tsawolf/netcat/Carenath do any coding? I honestly have no idea. I've never seen it mentioned before. I know Carenath does something with servers, but maybe that's because I never really ask.

Anyway, it seems like whenever these questions are brought up someone will drop the "FA is a volunteer site" excuse. We can only ride that for so long (i.e., already overdue). After a while the perceived ineptitude is going to make people fed up and playing a defensive "no entitlement complexes!" card against the user isn't going to help.

I feel like FA is just capitalizing on its popularity and being complacent. It's not until something truly serious happens that someone might be motivated to jump out of their chair and do something. Those are my feelings on the matter at least. There could be an explanation hidden somewhere I do not have access to, or there could be an unstated one somewhere else.

[Jim Demintia]

I would honestly suggest you dig around in the archives here. I'm not saying that in a sarcastic or condescending "let-me-google-that-for-you" manner; there really is a wealth of reality about the situation FA is in in the archives here, and it'd be hard to summarize in a way that answers all of your questions in just a single post.

[ColonThree]

I actually wonder that myself, and it makes me curious about a somewhat related topic. I can't recall anyone (from my limited view within the forum admin forums) ever talking about getting more coders (and maybe I need to look harder). Not just more coders, but more able coders in the sense of having significant time to dedicate. [-sensible questions-] Do Tsawolf/netcat/Carenath do any coding?

You could always ask Dragoneer yourself, but you'd probably just get empty promises and vague hand-waving in return. Carenath just hosts/fucks around with FAF, I'm pretty sure he never does anything on FA's side. Tsawolf may as well not exist, and net-cat seems to have vanished for a while.

[Jim Demintia]

I actually wonder that myself, and it makes me curious about a somewhat related topic. I can't recall anyone (from my limited view within the forum admin forums) ever talking about getting more coders (and maybe I need to look harder). Not just more coders, but more able coders in the sense of having significant time to dedicate. [-sensible questions-] Do Tsawolf/netcat/Carenath do any coding?

You could always ask Dragoneer yourself, but you'd probably just get empty promises and vague hand-waving in return. Carenath just hosts/fucks around with FAF, I'm pretty sure he never does anything on FA's side. Tsawolf may as well not exist, and net-cat seems to have vanished for a while.

There really is nothing that can be done with FA's code. As the recent round of non-feature additions showed us, you really cannot make any meaningful changes to the code without an avalanche of unpredictable side-effect errors being unleashed.

This is what happens when non-programmers (and bad programmers) write code. It isn't maintainable. The long and short of it is that FA needs rewritten from the ground up but that will not happen anytime soon because no one competent or reliable is going to work for Sean Piche for free, and he isn't about to pay anyone either.

[Conan]

Do Tsawolf/netcat/Carenath do any coding? I honestly have no idea. I've never seen it mentioned before. I know Carenath does something with servers, but maybe that's because I never really ask.

As far as we can tell, Tsawolf is dead (his profile sure seems that way), and net-cat codes infrequently (He fixed the journal posting exploit earlier this year, but not until it became A Problem). Carenath has access to the servers (with the same access Yak has, from what we've seen) and is believed to be the one that caused users to spontaneously log into other user's accounts.

A crack team indeed.