"No, seriously"
Posts: 7324 Joined: 18-Jan-2007 Last visit: 02-Nov-2024 Location: Orion Spur
|
Dear members, On Juli 18th I was informed by member 0gTryptamine about a vulnerability on the forum. Via the [Members] section it was possible to enter SQL-injection text. Simply stated SQL-injection can be used to enter a malicious query into the database that can alter or retrieve data. WHAT PERSONAL DATA WAS AVAILABLE?Personal data that could be retrieved is the following: * Email-address * PasswordThis data was stored in the database with the following methods: * Email-address: AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database. * Password: Hashing through scrypt followed by AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database. RESOLVEDAfter being informed about this vulnerability, it was resolved on the same day. WAS THIS VULNERABILITY ACTIVELY USED?At this moment is is not clear if anyone actively used this vulnerability. WHAT TO DO NOW?For now it is best to change your password, please use a strong password that you do not use anywhere else. MORE INFORMATIONIf you need more information you can reach me via this topic, send me a PM on the forum or send an email to info@dmt-nexus.meKind regards, The Traveler
|
|
|
|
|
DMT-Nexus member
Posts: 560 Joined: 12-Aug-2018 Last visit: 08-Nov-2024 Location: Earth surface
|
Hey Trav,
thanks for the info!
Do i understand correctly that unless they also had access to the AES256 encryption key, an attacker could not get the email address in readable form?
|
|
|
DMT-Nexus member
Posts: 4160 Joined: 01-Oct-2016 Last visit: 15-Dec-2024
|
Thank you for the heads up and speedy remedy Trav. My heart goes out to you. One love What if the "truth" is: the "truth" is indescernible/unknowable/nonexistent? Then the closest we get is through being true to and with ourselves. Know thyself, nothing in excess, certainty brings insanity- Delphic Maxims DMT always has something new to show you Question everything... including questioning everything... There's so much I could be wrong about and have no idea... All posts and supposed experiences are from an imaginary interdimensional being. This being has the proclivity and compulsion for delving in depths it shouldn't. Posts should be taken with a grain of salt. 👽
|
|
|
"No, seriously"
Posts: 7324 Joined: 18-Jan-2007 Last visit: 02-Nov-2024 Location: Orion Spur
|
Homo Trypens wrote:Do i understand correctly that unless they also had access to the AES256 encryption key, an attacker could not get the email address in readable form? The amount of possible keys to test is 2^256. With current and near future technology (including quantum computers) this is near impossible to perform in any reasonable time. Kind regards, The Traveler
|
|
|
DMT-Nexus member
Posts: 574 Joined: 24-Jan-2009 Last visit: 25-Aug-2023 Location: somewhere in the sands of time
|
Thank you Trav. Changed pass.
|
|
|
Boundary condition
Posts: 8617 Joined: 30-Aug-2008 Last visit: 07-Nov-2024 Location: square root of minus one
|
Thanks, password changed. Keep up the good work “There is a way of manipulating matter and energy so as to produce what modern scientists call 'a field of force'. The field acts on the observer and puts him in a privileged position vis-à-vis the universe. From this position he has access to the realities which are ordinarily hidden from us by time and space, matter and energy. This is what we call the Great Work." ― Jacques Bergier, quoting Fulcanelli
|
|
|
DMT-Nexus member
Posts: 4612 Joined: 17-Jan-2009 Last visit: 07-Mar-2024
|
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though most of that means little, trav having the backend covered as he does: The Traveler wrote:The amount of possible keys to test is 2^256.
|
|
|
"No, seriously"
Posts: 7324 Joined: 18-Jan-2007 Last visit: 02-Nov-2024 Location: Orion Spur
|
tatt wrote:I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day: The Traveler wrote:The amount of possible keys to test is 2^256.
Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information. As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries. In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place. Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection. Kind regards, The Traveler
|
|
|
DMT-Nexus member
Posts: 4612 Joined: 17-Jan-2009 Last visit: 07-Mar-2024
|
The Traveler wrote:tatt wrote:I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day: The Traveler wrote:The amount of possible keys to test is 2^256.
Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information. As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries. In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place. Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection. Kind regards, The Traveler Well said Trav
|
|
|
DMT-Nexus member
Posts: 414 Joined: 20-Jun-2020 Last visit: 09-Jul-2023
|
thank you traveler and 0gTryptamine for informing us this should not be a problem if people are smart about their sign up method. use burner emails and no reusing passwords. if you stick to those rules you can hand out your email and password openly and it does not really matter, worst case is you have to set up another nexus account. sounds to me like it is an extremely low risk vulnerability anyway, but a risk nonetheless, so thank you for pointing it out 0gTryptamine.
|
|
|
DMT-Nexus member
Posts: 350 Joined: 13-Feb-2021 Last visit: 18-Jul-2023 Location: United States
|
Thanks Trav and Og! Password changed! May we continue to be blessed
|
|
|
DMT-Nexus member
Posts: 117 Joined: 13-May-2018 Last visit: 01-Apr-2022 Location: The Nexus
|
Nice to see Traveler takes security of the board and its members seriously! Updating my password just in case! "In this secret room, from the past, I seek the future..."
|
|
|
Music is alive and in your soul. It can move you. It can carry you. It can make you cry! Make you laugh. Most importantly, it makes you feel! What is more important than that?
Posts: 2562 Joined: 02-May-2015 Last visit: 04-Sep-2023 Location: Lost In A Dream
|
Thanks for the info, I've updated mine as well. New to The Nexus? Check These Out: One Fish Two Fish Red Fish Blue Fish
|
|
|
Hello world!
Posts: 157 Joined: 20-Jun-2015 Last visit: 24-Jul-2024
|
No worries, good job being transparant You&Iverse
|