We have suffered an attack on our site!
On the day of this forum posting, a would-be hacker began rapidly testing our site’s security. His goal was to inject code into the website on the client end (that is, inside your browser), using a link that would convert the site into a pop-up ads. He did so in several ways, most of which didn’t work:
- He left comments on stories with the link. Because of the site’s security, this didn’t work.
- He attempted to use his own user page and created stories, which didn’t work.
- He exploited our tag system to automatically convert stories into pop-up ads without you clicking the link, which did work. He vandalised over 200 stories this way, which is why we shut down the site.
What do you need to do about it?
- If your stories got their tags changed, we’ll be fixing that soon! Corin is implementing a method to revert tag changes that the admins can use. If you’d like to change the tags back yourself, that’s probably fine, but rest assured it’ll be fixed soon.
- If you received an email with a link in it, do not click it! Right now, it’s harmless. If you click it, we’re almost certain it will do nothing. You only need to worry if your browser downloaded something to your computer which it would tell you it was doing! If you copy pasted the link because it was broken in the email, you would be directed to a weird dating site—we can’t control what’s on there, so don’t do that.
What are we doing to prevent this in the future?
- We fixed the issue that allowed tags to be abused.
- When our site sends you emails, we will scrub links and other markdown. That way, you’ll never get an email that might have a spam link in it.
- To prevent mass tag and comment vandalism, we now limit the number of times someone can change tags to twice a minute, and the number of times someone can make comments to three times a minute.
- Me and Nu are being given more tools to respond to emergencies like this while Corin isn’t online.
- We’ll add email address verification for new accounts.
If you have any questions, concerns, or fears, please reply here and we’ll give whatever information we can!