How does the site hack affect you?

We have suffered an attack on our site!

On the day of this forum posting, a would-be hacker began rapidly testing our site’s security. His goal was to inject code into the website on the client end (that is, inside your browser), using a link that would convert the site into a pop-up ads. He did so in several ways, most of which didn’t work:

  • He left comments on stories with the link. Because of the site’s security, this didn’t work.
  • He attempted to use his own user page and created stories, which didn’t work.
  • He exploited our tag system to automatically convert stories into pop-up ads without you clicking the link, which did work. He vandalised over 200 stories this way, which is why we shut down the site.

What do you need to do about it?

  • If your stories got their tags changed, we’ll be fixing that soon! Corin is implementing a method to revert tag changes that the admins can use. If you’d like to change the tags back yourself, that’s probably fine, but rest assured it’ll be fixed soon.
  • If you received an email with a link in it, do not click it! Right now, it’s harmless. If you click it, we’re almost certain it will do nothing. You only need to worry if your browser downloaded something to your computer which it would tell you it was doing! If you copy pasted the link because it was broken in the email, you would be directed to a weird dating site—we can’t control what’s on there, so don’t do that.

What are we doing to prevent this in the future?

  • We fixed the issue that allowed tags to be abused.
  • When our site sends you emails, we will scrub links and other markdown. That way, you’ll never get an email that might have a spam link in it.
  • To prevent mass tag and comment vandalism, we now limit the number of times someone can change tags to twice a minute, and the number of times someone can make comments to three times a minute.
  • Me and Nu are being given more tools to respond to emergencies like this while Corin isn’t online.
  • We’ll add email address verification for new accounts.

If you have any questions, concerns, or fears, please reply here and we’ll give whatever information we can!

13 Likes

Thanks for dealing with this y’all. It’s never fun to have your weekend commandeered by bad news. I appreciate your work and I’m sure others do too.

9 Likes

Thank you for your fast action and remediation today. I work in cybersecurity and was very happy that you were actively working on the issue today - a level of responses that I don’t often see. Congrats on bringing it to resolution and restoring the site so quickly! Awesome work :folded_hands:

6 Likes

thank you for all the hard work you guys do behind the scenes to keep this site up and alerting readers and members to the hack quickly.

2 Likes

Holy! Thanks for dealing with this! I’m sure it was a bunch of work for Corrin.

3 Likes

It was! We’re really grateful for everything he did, and so fast.

2 Likes

As a fringe author, my stories are usually too low traffic to even warrant spam comments :sweat_smile:

Sorry you all are having to deal with this. We just can’t have nice things, apparently.

2 Likes