Dear members, On Juli 18th I was informed by member 0gTryptamine about a vulnerability on the forum. Via the [Members] section it was possible to enter SQL-injection text. Simply stated SQL-injection can be used to enter a malicious query into the database that can alter or retrieve data. WHAT PERSONAL DATA WAS AVAILABLE?Personal data that could be retrieved is the following: * Email-address * PasswordThis data was stored in the database with the following methods: * Email-address: AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database. * Password: Hashing through scrypt followed by AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database. RESOLVEDAfter being informed about this vulnerability, it was resolved on the same day. WAS THIS VULNERABILITY ACTIVELY USED?At this moment is is not clear if anyone actively used this vulnerability. WHAT TO DO NOW?For now it is best to change your password, please use a strong password that you do not use anywhere else. MORE INFORMATIONIf you need more information you can reach me via this topic, send me a PM on the forum or send an email to info@dmt-nexus.meKind regards, The Traveler
|
|
|
Hey Trav,
thanks for the info!
Do i understand correctly that unless they also had access to the AES256 encryption key, an attacker could not get the email address in readable form?
|
|
|
Thank you for the heads up and speedy remedy Trav. My heart goes out to you. One love What if the "truth" is: the "truth" is indescernible/unknowable/nonexistent? Then the closest we get is through being true to and with ourselves. Know thyself, nothing in excess, certainty brings insanity- Delphic Maxims DMT always has something new to show you Question everything... including questioning everything... There's so much I could be wrong about and have no idea... All posts and supposed experiences are from an imaginary interdimensional being. This being has the proclivity and compulsion for delving in depths it shouldn't. Posts should be taken with a grain of salt. 👽
|
|
|
Homo Trypens wrote:Do i understand correctly that unless they also had access to the AES256 encryption key, an attacker could not get the email address in readable form? The amount of possible keys to test is 2^256. With current and near future technology (including quantum computers) this is near impossible to perform in any reasonable time. Kind regards, The Traveler
|
|
|
Thank you Trav. Changed pass.
|
|
|
Thanks, password changed. Keep up the good work “There is a way of manipulating matter and energy so as to produce what modern scientists call 'a field of force'. The field acts on the observer and puts him in a privileged position vis-à-vis the universe. From this position he has access to the realities which are ordinarily hidden from us by time and space, matter and energy. This is what we call the Great Work." ― Jacques Bergier, quoting Fulcanelli
|
|
|
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though most of that means little, trav having the backend covered as he does: The Traveler wrote:The amount of possible keys to test is 2^256.
|
|
|
tatt wrote:I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day: The Traveler wrote:The amount of possible keys to test is 2^256.
Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information. As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries. In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place. Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection. Kind regards, The Traveler
|
|
|
The Traveler wrote:tatt wrote:I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day: The Traveler wrote:The amount of possible keys to test is 2^256.
Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information. As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries. In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place. Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection. Kind regards, The Traveler Well said Trav
|
|
|
thank you traveler and 0gTryptamine for informing us this should not be a problem if people are smart about their sign up method. use burner emails and no reusing passwords. if you stick to those rules you can hand out your email and password openly and it does not really matter, worst case is you have to set up another nexus account. sounds to me like it is an extremely low risk vulnerability anyway, but a risk nonetheless, so thank you for pointing it out 0gTryptamine.
|
|
|
Thanks Trav and Og! Password changed! May we continue to be blessed
|
|
|
Nice to see Traveler takes security of the board and its members seriously! Updating my password just in case! "In this secret room, from the past, I seek the future..."
|
|
|
Thanks for the info, I've updated mine as well. New to The Nexus? Check These Out: One Fish Two Fish Red Fish Blue Fish
|
|
|
No worries, good job being transparant You&Iverse
|