astronautlevel's blog
Welcome to the personal blog of astronautlevel
Color
Background color
Background image
Font Type
Font Size
    astronautlevel TLDR: In its current state, Foxverse has critical security vulnerabilities that could lead to password breaches, which the developer refuses to fix. Additionally, PokeAcer, a user who has previously stolen and sold other people's exploits, and has used services he was an administrator on to read people's personal messages, is an administrator on this new Foxverse project. In short, as it is right now, Foxverse cannot be trusted.

    Well, apparently it's that time of the month again, as I have the pleasure of making Yet Another Drama Blogpost(TM). This time, I'm going to detail security vulnerabilities in the new Foxverse service, which, for the uninformed, is a Miiverse replacement developed by ninjafox/ctrninja/xkyup/ste (did I miss any of his old usernames?). Additionally, PokeAcer is back and working on this Foxverse project. I'll explain why I think that's bad news for the project, and why as long as PokeAcer is working on it, I won't trust it at all.

    To start with, I'll discuss the potential security vulnerabilities. Unlike last time, where the screenshot dump was at the end of the post, I'm going to put these screenshots at the beginning, so you can have some context going into what is a somewhat technical explanation: https://imgur.com/a/fVYsK

    Password validation security is hard to get right - there's a lot of moving parts, and a lot of the security methods are difficult to understand. However, it's the most important part of any web service, as an exploit and password leak in your service could lead to users' passwords being leaked for multiple sites, including potentially harmful things like bank accounts. For this reason, no matter what service you're implementing, if it deals with passwords, it has to be secure.

    Unfortunately, Foxverse isn't secure in its current implementation. There are two main issues:
    1. Client-side hashing
    2. Use of HTTP over HTTPS
    I'll address each of these in turn. Note this is going to be a somewhat technical explanation - if you want the layman's version, skip ahead.

    First, client-side hashing. Client side hashing, in and of itself, is not a bad thing. In fact, it's probably a good idea to do some amount of client side hashing, especially using a secure key-stretching algorithm such as bcrypt. However, client side hashing is by no means a replacement for server-side hashing. If the password is hashed on the client side and uploaded to a password database and stored in that database, logically, the client-side hash becomes the user's password. In the event of a database breach, an attacker doesn't even need to crack the hash - all they have to do is upload said hash, and they can instantly get into any user account. For this reason, client side hashing without any server side hashing is no better than storing passwords in plaintext. That being said, all this would allow an attacker to do is gain access to their Foxverse account - it wouldn't give an attacker the user's actual password. However, it's still a rather large security risk, and one that should be considered and patched. The solution is simple - hash on the server as well as on the client.

    Secondly, there's a much bigger issue - the use of HTTP over HTTPS. The use of HTTP means that none of the data sent between the console and the server is encrypted. Any attacker could simply read all of the data in plaintext, and, if they Man In The Middle (MITM) the connection, modify that data. This means two things: first, any attacker can get the password with ease (if it's hashed client side, which Forxverse does right now, only that service will be compromised). The much bigger danger, however, is the danger of an MITM. It's trivial to modify the javascript sent over HTTPS to not include the hashing + salting algorithm. This means that a potential attacker could get the plaintext password of anyone using this service with relative ease. Confronting ninjafox over this vulnerability got me nowhere, and given my belief that this issue is paramount to public security, I've decided to publicly post it.

    Now for the layman's explanation: Foxverse does not securely store passwords, leading to two major vulnerabilities. The first is that anyone with a password database dump doesn't need to crack the hashes, but instead can access anyone's account instantly. The second is that an attacker can MITM the connection between the server and the console, perform a trivial modification of the JavaScript served, and get the plaintext password through that route (which could lead to the compromise of other services).

    Please note that this is not an attempt to kill the project like ninjafox seems to believe it is. I would be ecstatic to get a proper Miiverse replacement. However, password security is something extremely important and I strongly believe that any such Miiverse replacement needs to have strong security. This is simply an attempt at making sure that this happens.

    And now, onto the second part of the post: the return of PokeAcer.

    At this point, it's fairly common knowledge that PokeAcer cannot be trusted - see my link at the top of the post. He stole and sold an exploit, begged for forgiveness, and then did the same thing again, and stole and leaked an exploit (ugopwn) ahead of time. However, something I had forgotten about myself was that PokeAcer also stole and read private flipnotes, abusing his position as a Project Kaeru administrator. See my quote from the last post:
    Although I glossed over it last time, I believe it's extremely relevant to consider now. As long as someone who has a history of stealing private messages is involved in a service like this, I cannot trust any data that is on said service. And yes, PokeAcer is involved as a developer in this.

    In short, I cannot, and don't believe anyone should, trust Foxverse, both due to the security issues, and the personnel involved.
    astronautlevel TLDR: PokeAcer (who also stole ihaveamac's exploit) stole and reported a new exploit to Nintendo: the yet unreleased Flip Note 3D exploit by MrNbaYoh for userland homebrew on 11.5. The money has already been paid out so it's likely it'll be patched very soon - I highly advice you download it now.

    In one of the Flipnote-related Discord chats recently, someone posted a ZIP containing the ugopwn exploit (an exploit for the DSi version of Flip Note), the SHA256 hash matching the one pinned in a certain private Discord server. It became obvious when looking around where it came from - ryanrocks's twitter.

    Ryan was asked to take it down, and immediately complied (he also claimed that twitter analytics showed no one saw the tweet, but there's no way to verify that). Around the same time, a GBAtemp thread was posted with the files. At this point, several DCMA requests were filed on the sites to get the files taken down.

    The Discord group the files came from only had 8 members, plus it was given to a few people outside of the discord. A total of around 10 people had access to the exploit files, all fairly trustworthy; there was initially no obvious leaker. Everyone was asked to think hard about who might have leaked it and messages were sent out.

    Later hints were given that whoever leaked it had posted in the GBAtemp thread. After a bit of thinking we decided to ask PokeAcer (aka Billy Humphreys - this is public information available on his website and Twitter) about it. He eventually admitted to impersonating ryanrocks on Nintendo's HackerOne bug bounty to report this exploit. Eventually, he confessed to stealing the session token of one of the members of the Discord.

    He's also admitted to having reported the Flipnote Studio 3D vulnerability to the HackerOne program and recently received a significant amount of money from the report. He's admitted to buying a new Macbook and other accessories with this money.

    Additionally, this isn't the first time he's done this. He also reported ihaveamac's browser exploit to Nintendo for a significant amount of money as well, as seen here. Then he had the gall to write an apology post begging for forgiveness saying he'd "apology [for it] until the day [he] dies," then went around and did it again.

    Additionally, he says not to judge one of the projects he works on, Project Kaeru (a custom server for Flipnote Studio 3D) as the rest of team doesn't condone his actions, but later on he admitted that he was reading and stealing information from people's notes on the Project Kaeru server.

    To sum it up, PokeAcer has stolen three exploits that were not his. Two he reported to Nintendo for profit and one he leaked. He is not to be trusted, and did all this after profusely apologizing for the first time. Please avoid associating and sharing anything sensitive with him unless you want it leaked and/or reported to Nintendo for money.

    Until now, this entire post until now has been serious and fact oriented, so allow me to insert some of my opinion here. PokeAcer or Billy, you seem to have some legitimate mental issues. I really hope you get those sorted out, both because you seem like a talented guy, and no one will (or should) trust you right now; but also because I'm seriously concerned about your well being.

    Finally screenshots, because no good callout post is complete without proof: http://imgur.com/a/FNUMx
    (I'm not the user in any of these screenshots)

    EDIT: Archived his twitter, just in case: http://archive.is/JdRwP

    DOUBLE EDIT: ihaveamac disclosed the amount that PokeAcer got when he sold his exploit:
    [12:21 AM] ihaveahax: the amount was $1,382
    Combined with the 2048 dollars from this one, that's a total of 3430 dollars
    astronautlevel So since apparently today is national coming out day (as anyone who has looked at recent content would know), so I figure that this is as good an opportunity as any to come out.

    I'm bisexual. It's not something that I've given much thought to or cared about much, and it's been a relatively minor part of my life, so I don't really know what else to say here.
    astronautlevel So, I've been around for a bit but never really introduced myself, and I've watched a lot of other people make blog entries and stuff and realized I didn't talk much about myself, and figured I should introduce myself a bit.

    I'm Alex, but you probably already knew that. I'm a 16 year old American who's going into his Junior year of High School in a few weeks. I mostly take GT/AP classes, and get pretty consistent A's (except for Latin - fuck you, Latin). Outside of school, I love programming, and am a member of a robotic's team as one of their lead programmers. I've been studying programming for 4 or 5 years now; python was my first language, but I've learned Java, C, C++, C#, Ruby, JavaScript, as well as other's I'm probably forgetting to mention. Other things I do on the computer is participate in a lot of different internet forums and chatgroups, as well as watch a shit ton of anime.

    Athletically, I love to run and ride my bike, and am planning on participating in a half marathon sometime soon. It's something that gets me out of the house and away from my computer.

    The 3ds scene was my first scene, and I joined it after I was introduced to a custom theme on the /r/Saber subreddit, and it's all spiraled downhill from there. In the relatively short time I've been involved (I got in near the end of the 10.3 downgrade wave), I think I've done a lot. I moderated the 3dshacks discord and subreddit, but quit due to the constant power struggles and general immaturity of the community. I've gotten involved with a lot of really awesome developers and learned way more than I thought I ever would going in, and learned a lot of programming even for non-3ds related things.

    So, uh, I guess that's my introduction. If you want to know anything more about me or my interests, just feel free to ask, I'd love to talk with you guys and get involved with the community here more!