Slashdot Mirror

← Back to Stories (view on slashdot.org)

Font Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts (zdnet.com)

Posted by BeauHD on from the easy-to-crack dept.

A popular font sharing site DaFont.com has been hacked, resulting in usernames, email addresses, and hashed passwords of 699,464 user accounts being stolen. ZDNet reports: The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums. The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database. "I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find." The hacker provided the database to ZDNet for verification.

4 of 17 comments (clear)

  1. DuFuck? by Frosty+Piss · · Score: 2

    I'm not an expert in web site security, but I thought SQL injection had ben delt with, with minimal input validation and prepared statements? I guess if they are still using MD5 hashes, the code is probably pretty old.

    Other than that, I love DuFont, that's where I get all my fonts, though I never saw a need to get an account...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:DuFuck? by dgatwood · · Score: 2

      This is just another example of why you should deprecate APIs with known security design flaws quickly and remove them just as quickly. PHP's MySQL API should have been deprecated when mysqli and PDO came onto the scene in PHP 5.0 (2004) and removed entirely within a couple of years after that. Instead, they didn't deprecate it until PHP 5.5 (2013) and didn't remove it until PHP 7 (2015). IMO, that was about a decade too late, and by the time they finally got around to it, thousands of websites developed using the old, vulnerable-by-design API have been compromised.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:DuFuck? by dgatwood · · Score: 2

      The thing is, when you do that (remove deprecated API's), people will default to a worse scenario: not updating PHP at all.

      That's actually not what happens in practice. Statistically, it isn't the one-off apps that get hacked. Instead, hackers tend to mostly go after mass-deployment apps (phpBB, WordPress, etc., because they yield the most bang for the buck. After all, why steal passwords on one site when you can steal passwords on 100,000 sites just as easily?

      The problem with mass-deployment apps is that developers are wary of making potentially dangerous changes like switching MySQL APIs. Instead, they do the minimum maintenance required to fix known holes. Unfortunately, because these apps are the ones that get the most eyes looking for holes, they tend to be compromised frequently under that model. Thus it is of paramount importance to force those developers to upgrade their API usage when serious problems make the use of the older APIs unsafe.

      Fortunately, this generally "just works" because those same apps also have a steady flow of new users. When a backwards-incompatible API update happens, those new users want to run [insert random bulletin board/CMS software here] on their servers, and if their shared hosting providers no longer provide old versions of PHP that support those APIs, they can't run the software. Thus, this puts pressure on the developers of that software to take the risk and update their software so that they won't stop getting new users. Once the developers have updated the software, all users of that software package are free to upgrade their versions of PHP to a newer version.

      For one-offs, yes, in theory, you might cause somebody to decide not to upgrade. But even there, often their ISP will eventually say, "We notice you're running an outdated version of PHP" and force the issue. Either way, if you break a known-unsafe API and people choose to not upgrade their entire server stack rather than update the software on the server, that's an obvious choice to neglect security that the site owner made, knowing full well that not staying up-to-date is a bad idea. If you continue to allow use of the old API, there's a decent chance that the people who developed software for those one-off sites won't even know that something is wrong and needs to be fixed, because their software is still working. So even in those situations, removing the API provides a benefit.

      And if you really want to make it less painful for the one-offs, you can do that by continuing to maintain the legacy code as an optional install. The shared server admins will refuse to install it, forcing folks to upgrade their software, and the random one-off software authors will either fix their code (if they're forced to by their ISP) or will continue manually installing the package on their servers until the extra hassle makes it worth their time to fix their code.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Comic sans by Hognoxious · · Score: 4, Funny

    I was prosecuted for pirating Comic Sans and bigamy.

    The judge let me off with a warning. He said I'd already suffered enough.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."