Security Notice: Discord widget removed due to vulnerability

Announcements which were previously posted on our Drupal and WordPress blogs.
Locked
User avatar
Eric
Senior Veteran
Senior Veteran
Posts: 1520
Joined: Thu Feb 10, 2011 5:30 am
Favorite Aircraft: Super Hornet
Location: Chicago, Illinois
Has thanked: 59 times
Been thanked: 155 times
Contact:

Security Notice: Discord widget removed due to vulnerability

Post by Eric » Wed Jan 24, 2018 4:16 pm

On Monday evening (Jan 22nd), I learned of a security vulnerability in the unofficial Discord widget we had in the sidebar, originally added to show members online in our Discord server and provide a link for new users to join. The vulnerability could allow a Discord member to run untrusted bits of code on our forum through changing their name or "Playing ..." status. The vulnerability was found as while researching the results of a regular vulnerable dependency scan performed on our code, which allows us to be vigilant about new security issues.

Immediately after confirming the vulnerability was present on our site, I first disabled the vulnerable Discord widget, second notified the author of the Discord widget about the vulnerability, and third informed the YSFHQ staff of the situation. After that, I continued my investigation of the incident to ensure your data was safe and to keep it safe in the future.

At this time, there have not been any indications that this vulnerability was ever exploited, and no unusual activity was detected. We are making this public notification as a precaution only.

This vulnerability is one example of Cross-Site Scripting (XSS), which is a common flaw that can be found on many websites, exploited thru various methods. YSFlight Headquarters has additional security measures in place to prevent someone gaining access to your forum account, such as preventing login sessions from being read by any browser scripts and limiting the collection of sensitive information. We also update phpBB regularly to ensure any newly public security vulnerabilities are patched. Due to these existing protections, we do not believe any data was compromised. Check out the phpBB blog to know what more the developers doing to improve security and stability of the software behind YSFHQ.

To further improve our security and utilize the lessons learned from this incident, we will be taking the following actions:
  • Already done: Force HTTPS by default via HSTS, and ensure all traffic (including to/from our CDN) flows over HTTPS.
  • Going forward, third party software (extensions, widgets, etc.) on the forum will have their security evaluated before implementation to identify common vulnerablities such as the one found here. When feasible, we will opt for software made by trusted vendors instead of custom-built solutions (e.g. using the official Discord embed code instead of this widget).
  • Begin research and implementation of various defenses against XSS to prevent such vulnerabilities from being exploited.
We also thought it would be a good time to re-share some useful tips on keeping your accounts secure:
  • Don’t reuse passwords across accounts
    • It may seem easy to remember one password, but if a hacker gets hold of that master key, they can access all your accounts. Check out this video to learn more.
    • We recommend a password manager such as LastPass, 1Password, or Encryptr which makes keeping track of all your accounts super easy.
  • Use strong, randomly-generated passwords
    • Strong, complex passwords are much harder to guess, and thus makes your account less likely to be compromised.
    • Password managers make it really easy to generate strong passwords. You can also use trusted websites such as strongpasswordgenerator.com.
  • Change your passwords regularly (every 3 months is a good amount)
    • This helps ensure that any passwords that do get compromised have a limited lifespan.
  • If two-factor authentication (or multi-factor authentication) is available, use it!
    • Accounts using two-factor authentication require both the username/password combo as well as second code, often generated from your phone, in order to login. A hacker would need both your username/password as well as your phone to login.
    • We plan to implement this on YSFHQ when a stable 2FA forum extension is released. When it’s ready, we’ll let you know!
Motivated to change your password on YSFHQ? Click here to do so. Let me know if you have any other questions about this incident or how to improve your security.

Happy flying,

- Eric and the YSFHQ staff
I make this website.

Locked

Who is online

Users browsing this forum: No registered users and 1 guest