Font Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts

A popular font sharing site DaFont.com has been hacked, resulting in usernames, email addresses, and hashed passwords of 699,464 user accounts being stolen. ZDNet reports: The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums. The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database. "I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find." The hacker provided the database to ZDNet for verification.

DuFuck?

[Frosty+Piss]

I'm not an expert in web site security, but I thought SQL injection had ben delt with, with minimal input validation and prepared statements? I guess if they are still using MD5 hashes, the code is probably pretty old.

Other than that, I love DuFont, that's where I get all my fonts, though I never saw a need to get an account...

Re:DuFuck?

New programmers often learn with old, crappy tutorials, so bad DB code is a problem that is reborn with every generation (so far).

Re:DuFuck?

[dgatwood]

This is just another example of why you should deprecate APIs with known security design flaws quickly and remove them just as quickly. PHP's MySQL API should have been deprecated when mysqli and PDO came onto the scene in PHP 5.0 (2004) and removed entirely within a couple of years after that. Instead, they didn't deprecate it until PHP 5.5 (2013) and didn't remove it until PHP 7 (2015). IMO, that was about a decade too late, and by the time they finally got around to it, thousands of websites developed using the old, vulnerable-by-design API have been compromised.

Re:DuFuck?

The thing is, when you do that (remove deprecated API's), people will default to a worse scenario: not updating PHP at all.

A lot of websites have been built spending big money, there's a business or educative usage scenario but zero maintenance, and 99% of the leaks are probably never found or abused because no-one bothered since there is no or little direct monetary gain.

So apart the casual worms, even vulnerable websites are relative safe simply because no-one bothers, hackers will go with higher profile targets first and don't bother for Jack-with-his-pet-site.

There's plenty valid and practical reasons to keep deprecated API's functional. In an ideal world you might be right. But in practice a lot of code is left as-is for years and decades to come if possible, simply because it works, and the sum(profit) is larger than the sum(damages).

Re:DuFuck?

[dgatwood]

The thing is, when you do that (remove deprecated API's), people will default to a worse scenario: not updating PHP at all.

That's actually not what happens in practice. Statistically, it isn't the one-off apps that get hacked. Instead, hackers tend to mostly go after mass-deployment apps (phpBB, WordPress, etc., because they yield the most bang for the buck. After all, why steal passwords on one site when you can steal passwords on 100,000 sites just as easily?

The problem with mass-deployment apps is that developers are wary of making potentially dangerous changes like switching MySQL APIs. Instead, they do the minimum maintenance required to fix known holes. Unfortunately, because these apps are the ones that get the most eyes looking for holes, they tend to be compromised frequently under that model. Thus it is of paramount importance to force those developers to upgrade their API usage when serious problems make the use of the older APIs unsafe.

Fortunately, this generally "just works" because those same apps also have a steady flow of new users. When a backwards-incompatible API update happens, those new users want to run [insert random bulletin board/CMS software here] on their servers, and if their shared hosting providers no longer provide old versions of PHP that support those APIs, they can't run the software. Thus, this puts pressure on the developers of that software to take the risk and update their software so that they won't stop getting new users. Once the developers have updated the software, all users of that software package are free to upgrade their versions of PHP to a newer version.

For one-offs, yes, in theory, you might cause somebody to decide not to upgrade. But even there, often their ISP will eventually say, "We notice you're running an outdated version of PHP" and force the issue. Either way, if you break a known-unsafe API and people choose to not upgrade their entire server stack rather than update the software on the server, that's an obvious choice to neglect security that the site owner made, knowing full well that not staying up-to-date is a bad idea. If you continue to allow use of the old API, there's a decent chance that the people who developed software for those one-off sites won't even know that something is wrong and needs to be fixed, because their software is still working. So even in those situations, removing the API provides a benefit.

And if you really want to make it less painful for the one-offs, you can do that by continuing to maintain the legacy code as an optional install. The shared server admins will refuse to install it, forcing folks to upgrade their software, and the random one-off software authors will either fix their code (if they're forced to by their ISP) or will continue manually installing the package on their servers until the extra hassle makes it worth their time to fix their code.

Re:DuFuck?

[alexborges]

Its all graphic designers. 95.78% of the passwords where permutations of "Justin Bieber"

Re:DuFuck?

[tepples]

Many popular prepared statement frameworks still don't support array-valued parameters, such as that for the right side of operator IN.

Comic sans

[Hognoxious]

I was prosecuted for pirating Comic Sans and bigamy.

The judge let me off with a warning. He said I'd already suffered enough.

Re:Comic sans

Gosh, I really want to get my hands on that hard-to-find Bigamy font!!!

Beat a ZDnet reporter

So we beat a ZDNet reporter until he reveals a hackers identity and then neuter a bored hacker ?

Re:Beat a ZDnet reporter

[rogoshen1]

This particular guy didn't do anything particular onerous though. He didn't (as far as we know) sell or use the data. Not to mention, he wasn't the first person to lift the DB.

But really, in this legal climate going to the site in question is almost a sure way to get sued. At least with the journalistic route, the company can be notified of the breach, while the 'hacker' has at least some hope of not being fucked over by the legal system.

So it's a win-win for everyone involved.

oblagory

Brick must be freaking out right now.

Re:oblagory

I wish more people got this reference. Great show.

I Remember

he said it was "mainly just for the challenge [and] training my pentest skills."

Yeah, I remember when I was training to be a butcher, I used to sneak into farms and pick up some beef cattle for my practice. I made it look like the aliens did it too, which was occasionally quite a challenge.

Re:I Remember

I remember when I was training to be a car mechanic, I'd sneak around at night and cut brake lines and slash tires so I could practice fixing them for a modest fee.

Moral of the story - most black hats are amoral pieces of shit.

I hate signing up

[OrangeTide]

This is one of many reasons I hate signing up for accounts at these kinds of sites. I just want to view the materials on the site, maybe download something, and then get out. Not register and deal with accounts and passwords and crap forever.