Homebrew The All New 3DSThemes.com Huge Site Update! ツ

[Lycan911]

Thankfully I have all of my themes on Mega.

And to everyone that took part in hacking the website: You're a dick.

 

[Tjessx]

Pretty understandable i think, the devs probably trusted everyone to not abuse their site and gave functionality a bigger priority then security.
Some people said some rude stuff and i just wanted to say to them that they are idiots.
People that put so much effort in this community do not deserve to be treated like that.
And those who say that they are idiots, please share use one of your highly visited unhackable sites, and lets see how secure it really is

 

[Suiginou]

Pretty understandable i think, the devs probably trusted everyone to not abuse their site and gave functionality a bigger priority then security.

Lesson 1 of network security: User input is untrusted and bad.

Avoiding SQL injections with prepared statements and the like, the way PDO would've offered, is trivial. Then again, you can't expect too much from people who still use MySQL as their database of choice and hook the website up with the MySQL root user.

 

[Deleted User]

We know there is currently a security breach with our site, and we would like to let you know, that we are working tirelessly to fix this. We are deeply sorry for the inconvenience, and our site should be online again once we have solved it.

 

[Deleted User]

a security breach? More a security OPENDOOR.

 

[Suiginou]

We know there is currently a security breach with our site, and we would like to let you know, that we are working tirelessly to fix this. We are deeply sorry for the inconvenience, and our site should be online again once we have solved it.

In all seriousness now, might I suggest hiring an intern or someone to help educate the programmers on web application security? SQLi is really just the 101, there's more to consider (OWASP might be a good starting point), you'll definitely want to check this out now that you've established that, indeed, parts of your userbase are malicious and will abuse any and all flaws in your software.

EDIT: Hell, there's a guy volunteering right below this post. No need to expensively hire anyone if Tjessx knows his stuff.

 

[Tjessx]

Lesson 1 of network security: User input is untrusted and bad.

Avoiding SQL injections with prepared statements and the like, the way PDO would've offered, is trivial. Then again, you can't expect too much from people who still use MySQL as their database of choice and hook the website up with the MySQL root user.

There is nothing wrong with MySQL, and i chose it above every other database type (however PostgreSQL is nice too )

--------------------- MERGED ---------------------------

We know there is currently a security breach with our site, and we would like to let you know, that we are working tirelessly to fix this. We are deeply sorry for the inconvenience, and our site should be online again once we have solved it.

If you need any help finding other unprotected parts, i've got some time

 

[Deleted User]

I use MySQL too, so does Wiimmfi, AltWFC uses SQLite, a lot of places use it.

 

[Deleted User]

In all seriousness now, might I suggest hiring an intern or someone to help educate the programmers on web application security? SQLi is really just the 101, there's more to consider (OWASP might be a good starting point), you'll definitely want to check this out now that you've established that, indeed, parts of your userbase are malicious and will abuse any and all flaws in your software.

Staff changes will be made, yes.


---------

I ask you all to be understanding while we deal with this, and make sure that no to minimal data was leaked. I would like to assure everyone that your passwords were hashed/encrypted, and that they were not stored in an insecure way.

More updates to come

 

[Deleted User]

Use http://startssl.com for free SSL certs too..

 

[Suiginou]

Use http://startssl.com for free SSL certs too..

StartSSL's revocation feees made for a nice disaster after Heartbleed indeed.

Ideally, one will want to roll out Let's Encrypt the second it hits general availability.

 

[Deleted User]

You can apply for Let's Encrypt right now

 

[Deleted User]

You can apply for Let's Encrypt right now

We were using StartSSL, with plans to upgrade to a paid certificate in the coming month after google paid out. Unfortunately, sometimes things like this get in the way, so until we fix the security hole and find the perpetrator, we will not be doing further upgrades (Obviously).

 

[Deleted User]

@GotKrypto67 OK Ensure that you escape characters, and don't use StartSSL when you can stop using it, request a better on through the beta request at
http://helloworld.letsencrypt.org
And use that

 

[Deleted User]

@GotKrypto67 OK Ensure that you escape characters, and don't use StartSSL when you can stop using it, request a better on through the beta request at
http://helloworld.letsencrypt.org
And use that

Will do, thanks for your recommendation.

 

[Tjessx]

so until we fix the security hole and find the perpetrator, we will not be doing further upgrades (Obviously).

Give me 5 minutes with it

 

[Deleted User]

Give me 5 minutes with it

After I finish some minor repairs here we may have to talk. Not sure just yet though. Ive followed you for further contact.

 

[yodamerlin]

If you need any help with security, I could make a system more secure.

 

[Suiginou]

Give me 5 minutes with it

I doubt you can "find the perpetrator" in 5 minutes. I'm assuming @GotKrypto67 is considering legal action; locating someone isn't that easy. You'd probably need to notify the police, who may start a criminal procedure, from which you may then learn the identity of the perpetrator and only then you can sue for damages.

 

[yodamerlin]

I doubt you can "find the perpetrator" in 5 minutes. I'm assuming @GotKrypto67 is considering legal action; locating someone isn't that easy. You'd probably need to notify the police, who may start a criminal procedure, from which you may then learn the identity of the perpetrator and only then you can sue for damages.

But finding the information to find the attacker is pretty easy. And from there, you email the ISP quoting the criminal damage and then go from there. If done by proxy, hope they keep logs. If done by TOR, you're out of luck.