Immediately after confirming the vulnerability was present on our site, I first disabled the vulnerable Discord widget, second notified the author of the Discord widget about the vulnerability, and third informed the YSFHQ staff of the situation. After that, I continued my investigation of the incident to ensure your data was safe and to keep it safe in the future.
At this time, there have not been any indications that this vulnerability was ever exploited, and no unusual activity was detected. We are making this public notification as a precaution only.
This vulnerability is one example of Cross-Site Scripting (XSS), which is a common flaw that can be found on many websites, exploited thru various methods. YSFlight Headquarters has additional security measures in place to prevent someone gaining access to your forum account, such as preventing login sessions from being read by any browser scripts and limiting the collection of sensitive information. We also update phpBB regularly to ensure any newly public security vulnerabilities are patched. Due to these existing protections, we do not believe any data was compromised. Check out the phpBB blog to know what more the developers doing to improve security and stability of the software behind YSFHQ.
To further improve our security and utilize the lessons learned from this incident, we will be taking the following actions:
- Already done: Force HTTPS by default via HSTS, and ensure all traffic (including to/from our CDN) flows over HTTPS.
- Going forward, third party software (extensions, widgets, etc.) on the forum will have their security evaluated before implementation to identify common vulnerablities such as the one found here. When feasible, we will opt for software made by trusted vendors instead of custom-built solutions (e.g. using the official Discord embed code instead of this widget).
- Begin research and implementation of various defenses against XSS to prevent such vulnerabilities from being exploited.
- Don’t reuse passwords across accounts
- Use strong, randomly-generated passwords
- Strong, complex passwords are much harder to guess, and thus makes your account less likely to be compromised.
- Password managers make it really easy to generate strong passwords. You can also use trusted websites such as strongpasswordgenerator.com.
- Change your passwords regularly (every 3 months is a good amount)
- This helps ensure that any passwords that do get compromised have a limited lifespan.
- If two-factor authentication (or multi-factor authentication) is available, use it!
- Accounts using two-factor authentication require both the username/password combo as well as second code, often generated from your phone, in order to login. A hacker would need both your username/password as well as your phone to login.
- We plan to implement this on YSFHQ when a stable 2FA forum extension is released. When it’s ready, we’ll let you know!
- Eric and the YSFHQ staff