Thuum.org

A community for the dragon language of The Elder Scrolls V: Skyrim

Thuum.org

A community for the dragon language of The Elder Scrolls V: Skyrim

Site Update February 25, 2017

Thuum.org Database Compromised

February 25, 2017

Or, “Why We Can’t Have Nice Things, Part 3.”

Late this evening, I was notified that Thuum.org’s database was compromised. The hacker is confirmed to have accessed a small portion of the user table, which includes such information as emails and password hashes. It is unknown whether or not they accessed or dumped any other tables. At the time of writing, the vulnerability that led to the leak has been patched.

In the interest of full transparency, I’ll describe as much as I know about the issue and how it happened. In the meantime, I strongly urge all site members to change their passwords. If you updated your password already today due to the Cloudflare incident, I highly recommend updating your password again.

How did you learn about the compromise?

I received a message from a fake, Russian Facebook profile informing me with an accompanying screenshot of the database as proof, and demands of payment to identify the vulnerability. The screenshot indicated the hacker accessed the first hundred rows of the user table but did not access any further rows or tables. That said, the hacker would have had complete access to the database while it was vulnerable, and it is unknown whether they accessed or dumped additional information after the screenshot was taken.

I identified the vulnerability on my own and patched it as soon as I was able.

How was the database compromised?

At this time, I have no reason to believe the compromise is related the Cloudflare issue mentioned earlier today. The hack occurred through a method called SQL Injection. SQL Injection occurs when unsafe user input is passed into an SQL statement that interacts with the database. With SQL injection, a statement that selects words from a dictionary can instead be made to select entirely different tables.

For site veterans, this is the same type of attack that happened four years ago. Afterward, I shut down the vulnerable pages and spent several weeks rebuilding them to use safe methods. However, at the time and in the interest of getting the site running as quickly as possible, I did not fix every vulnerable page, only the ones that were the most obvious vectors of attack. Four years passed, and it didn’t occur to me that those pages were vulnerable in the same way. I was wrong. It was grossly ignorant and negligent of me to maintain those pages. An anonymous Russian may have pulled the trigger, but I loaded the gun. This is as much my fault as anyone’s and I apologize for any trouble this may have caused.

All site features developed since the 2013 incident use safe methods of communicating with the database, and are not vulnerable to this type of attack. This attack was made possible by the site’s very first pages I developed as a student back in 2012, and have lingered around since. Those pages have now been patched to fix the vulnerability.

What happens now?

As stated above, everyone should update their passwords immediately. Please also consider refreshing yourself on the Thuum.org Privacy Policy so you are familiar with what information we store in our database and what you can do if you would like it removed. Moving forward, I hope we can continue doing contests, creating fun features, and being the tight-knit community we’ve always been. I recognize the severity and implications of this security breach, and will do everything in my power to ensure the site and its members are safe.

-paarthurnax



Dinokfahlaas
February 25, 2017

You've got to be kidding me!? 

LÓSDAGH PÓG MOL ASAL!

That was not Dragon Language, and you don't want to know what that meant. How much did he ask you to pay him?

 

 

 

by Dinokfahlaas
February 25, 2017

You've got to be kidding me!? 

LÓSDAGH PÓG MOL ASAL!

That was not Dragon Language, and you don't want to know what that meant. How much did he ask you to pay him?

 

 

 


Smiley
February 25, 2017

I just recently joined this site, but in this time i really stated to like it here. Its sad to hear, that some people would do something like that and hope that you and his site is going to be okey in the Future. You are great for reacting the way you did!

by Smiley
February 25, 2017

I just recently joined this site, but in this time i really stated to like it here. Its sad to hear, that some people would do something like that and hope that you and his site is going to be okey in the Future. You are great for reacting the way you did!


Ancient dovah
February 25, 2017
Wow who in the name of oblivion would attack a site like this. Again.

I've known paarthurnax for a while now.
What will you do?

I've gone over the list of members and a lot of us in this community are within is in range of this haker.
by Ancient dovah
February 25, 2017
Wow who in the name of oblivion would attack a site like this. Again.

I've known paarthurnax for a while now.
What will you do?

I've gone over the list of members and a lot of us in this community are within is in range of this haker.

paarthurnax
Administrator
February 25, 2017
Ancient dovah
What will you do?

I appreciate the sentiment, but there's nothing to be done about the hacker except ensure the site can't be compromised again. I've done what I can to make sure the site is safe moving forward.

by paarthurnax
February 25, 2017
Ancient dovah
What will you do?

I appreciate the sentiment, but there's nothing to be done about the hacker except ensure the site can't be compromised again. I've done what I can to make sure the site is safe moving forward.


DovahKiinZaan
February 25, 2017
The issues of PHP
by DovahKiinZaan
February 25, 2017
The issues of PHP

Ancient dovah
February 25, 2017
[Thanks for letting us all know about the current problems]
by Ancient dovah
February 25, 2017
[Thanks for letting us all know about the current problems]

GenralEdward
March 3, 2017

I believe we should post guards on the site... have them take shifts.

by GenralEdward
March 3, 2017

I believe we should post guards on the site... have them take shifts.


Ancient dovah
March 3, 2017
[That's not a bad idea.]
by Ancient dovah
March 3, 2017
[That's not a bad idea.]

Jaxius
March 5, 2017
It never occurred to me to check if the site was sql vulnerable. As a programmer, and someone who's also interested in Web vulnerabilities. I could've helped prevent this.

It's a good thing you found out soon enough before it got too out of hand. :)
by Jaxius
March 5, 2017
It never occurred to me to check if the site was sql vulnerable. As a programmer, and someone who's also interested in Web vulnerabilities. I could've helped prevent this.

It's a good thing you found out soon enough before it got too out of hand. :)

Dinokdovokunne
March 28, 2017

Well that is just horrible.

I have had the luck to have joined in early March.

by Dinokdovokunne
March 28, 2017

Well that is just horrible.

I have had the luck to have joined in early March.