We've Moved! Visit our NEW FORUM to join the latest discussions. This is an archive of our previous conversations...

You can find the login page for the old forum here.
CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
DATA BREACH Options
 
The Traveler
#1 Posted : 7/19/2021 12:41:10 AM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
Dear members,

On Juli 18th I was informed by member 0gTryptamine about a vulnerability on the forum.

Via the [Members] section it was possible to enter SQL-injection text. Simply stated SQL-injection can be used to enter a malicious query into the database that can alter or retrieve data.


WHAT PERSONAL DATA WAS AVAILABLE?

Personal data that could be retrieved is the following:
* Email-address
* Password


This data was stored in the database with the following methods:

* Email-address:
AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database.
* Password:
Hashing through scrypt followed by AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database.


RESOLVED

After being informed about this vulnerability, it was resolved on the same day.


WAS THIS VULNERABILITY ACTIVELY USED?

At this moment is is not clear if anyone actively used this vulnerability.


WHAT TO DO NOW?

For now it is best to change your password, please use a strong password that you do not use anywhere else.


MORE INFORMATION

If you need more information you can reach me via this topic, send me a PM on the forum or send an email to info@dmt-nexus.me


Kind regards,

The Traveler
 

STS is a community for people interested in growing, preserving and researching botanical species, particularly those with remarkable therapeutic and/or psychoactive properties.
 
Homo Trypens
#2 Posted : 7/19/2021 12:59:25 AM

DMT-Nexus member

Welcoming committeeSenior Member

Posts: 560
Joined: 12-Aug-2018
Last visit: 08-Nov-2024
Location: Earth surface
Hey Trav,

thanks for the info!

Do i understand correctly that unless they also had access to the AES256 encryption key, an attacker could not get the email address in readable form?
 
Voidmatrix
#3 Posted : 7/19/2021 2:57:14 AM

DMT-Nexus member

Welcoming committeeModerator

Posts: 4160
Joined: 01-Oct-2016
Last visit: 15-Nov-2024
Thank you for the heads up and speedy remedy Trav. My heart goes out to you.

One love
What if the "truth" is: the "truth" is indescernible/unknowable/nonexistent? Then the closest we get is through being true to and with ourselves.


Know thyself, nothing in excess, certainty brings insanity- Delphic Maxims

DMT always has something new to show you Twisted Evil

Question everything... including questioning everything... There's so much I could be wrong about and have no idea...
All posts and supposed experiences are from an imaginary interdimensional being. This being has the proclivity and compulsion for delving in depths it shouldn't. Posts should be taken with a grain of salt. 👽
 
The Traveler
#4 Posted : 7/19/2021 8:39:26 AM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
Homo Trypens wrote:
Do i understand correctly that unless they also had access to the AES256 encryption key, an attacker could not get the email address in readable form?

The amount of possible keys to test is 2^256.

With current and near future technology (including quantum computers) this is near impossible to perform in any reasonable time.


Kind regards,

The Traveler
 
PsilocybeChild
#5 Posted : 7/19/2021 12:13:37 PM

DMT-Nexus member


Posts: 574
Joined: 24-Jan-2009
Last visit: 25-Aug-2023
Location: somewhere in the sands of time
Thank you Trav. Changed pass.
―λlτεrηιτγ→
Kambo.me Forum
​Internet Security Walk-Through
[url=https://kambo.me/smf/index.php?topic=395.0]Tobacco Disinformation

PM me about personal Herbalist consultations.
Can do it over PMs as to not reveal personal information.
 
downwardsfromzero
#6 Posted : 7/20/2021 4:13:43 PM

Boundary condition

ModeratorChemical expert

Posts: 8617
Joined: 30-Aug-2008
Last visit: 07-Nov-2024
Location: square root of minus one
Thanks, password changed.

Keep up the good work Thumbs up




“There is a way of manipulating matter and energy so as to produce what modern scientists call 'a field of force'. The field acts on the observer and puts him in a privileged position vis-à-vis the universe. From this position he has access to the realities which are ordinarily hidden from us by time and space, matter and energy. This is what we call the Great Work."
― Jacques Bergier, quoting Fulcanelli
 
#7 Posted : 7/20/2021 5:53:25 PM
DMT-Nexus member

ModeratorSenior Member

Posts: 4612
Joined: 17-Jan-2009
Last visit: 07-Mar-2024
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though most of that means little, trav having the backend covered as he does:

The Traveler wrote:
The amount of possible keys to test is 2^256.


 
The Traveler
#8 Posted : 7/20/2021 6:04:23 PM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
tatt wrote:
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day:

The Traveler wrote:
The amount of possible keys to test is 2^256.


Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information.

As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries.

In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place.

Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection.


Kind regards,

The Traveler
 
#9 Posted : 7/20/2021 6:08:12 PM
DMT-Nexus member

ModeratorSenior Member

Posts: 4612
Joined: 17-Jan-2009
Last visit: 07-Mar-2024
The Traveler wrote:
tatt wrote:
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day:

The Traveler wrote:
The amount of possible keys to test is 2^256.


Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information.

As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries.

In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place.

Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection.


Kind regards,

The Traveler


Well said Trav Thumbs up
 
PedroSanchez
#10 Posted : 7/31/2021 10:02:53 AM

DMT-Nexus member


Posts: 414
Joined: 20-Jun-2020
Last visit: 09-Jul-2023
thank you traveler and 0gTryptamine for informing us Love

this should not be a problem if people are smart about their sign up method. use burner emails and no reusing passwords. if you stick to those rules you can hand out your email and password openly and it does not really matter, worst case is you have to set up another nexus account.

sounds to me like it is an extremely low risk vulnerability anyway, but a risk nonetheless, so thank you for pointing it out 0gTryptamine.
 
ShamanisticVibes
#11 Posted : 7/31/2021 6:43:57 PM
DMT-Nexus member


Posts: 350
Joined: 13-Feb-2021
Last visit: 18-Jul-2023
Location: United States
Thanks Trav and Og! Password changed! Love
May we continue to be blessed
 
MachienDome
#12 Posted : 8/14/2021 2:23:52 PM

DMT-Nexus member


Posts: 117
Joined: 13-May-2018
Last visit: 01-Apr-2022
Location: The Nexus
Nice to see Traveler takes security of the board and its members seriously!

Updating my password just in case!
"In this secret room, from the past, I seek the future..."
 
TGO
#13 Posted : 8/17/2021 10:36:56 PM

Music is alive and in your soul. It can move you. It can carry you. It can make you cry! Make you laugh. Most importantly, it makes you feel! What is more important than that?

Welcoming committee

Posts: 2562
Joined: 02-May-2015
Last visit: 04-Sep-2023
Location: Lost In A Dream
Thanks for the info, I've updated mine as well.
New to The Nexus? Check These Out:



One Fish Two Fish Red Fish Blue Fish

 
seagull
#14 Posted : 8/26/2021 12:20:15 PM

Hello world!


Posts: 157
Joined: 20-Jun-2015
Last visit: 24-Jul-2024
No worries, good job being transparant
You&Iverse
 
 
Users browsing this forum
Guest

DMT-Nexus theme created by The Traveler
This page was generated in 0.041 seconds.