[PSA] Critical Security Vulnerabilities in "Foxverse" (an open source Miiverse replacement) and the return of PokeAcerNov 13, 2017
TLDR: In its current state, Foxverse has critical security vulnerabilities that could lead to password breaches, which the developer refuses to fix. Additionally, PokeAcer, a user who has previously stolen and sold other people's exploits, and has used services he was an administrator on to read people's personal messages, is an administrator on this new Foxverse project. In short, as it is right now, Foxverse cannot be trusted.
Well, apparently it's that time of the month again, as I have the pleasure of making Yet Another Drama Blogpost(TM). This time, I'm going to detail security vulnerabilities in the new Foxverse service, which, for the uninformed, is a Miiverse replacement developed by ninjafox/ctrninja/xkyup/ste (did I miss any of his old usernames?). Additionally, PokeAcer is back and working on this Foxverse project. I'll explain why I think that's bad news for the project, and why as long as PokeAcer is working on it, I won't trust it at all.
To start with, I'll discuss the potential security vulnerabilities. Unlike last time, where the screenshot dump was at the end of the post, I'm going to put these screenshots at the beginning, so you can have some context going into what is a somewhat technical explanation: https://imgur.com/a/fVYsK
Password validation security is hard to get right - there's a lot of moving parts, and a lot of the security methods are difficult to understand. However, it's the most important part of any web service, as an exploit and password leak in your service could lead to users' passwords being leaked for multiple sites, including potentially harmful things like bank accounts. For this reason, no matter what service you're implementing, if it deals with passwords, it has to be secure.
Unfortunately, Foxverse isn't secure in its current implementation. There are two main issues:
- Client-side hashing
- Use of HTTP over HTTPS
First, client-side hashing. Client side hashing, in and of itself, is not a bad thing. In fact, it's probably a good idea to do some amount of client side hashing, especially using a secure key-stretching algorithm such as bcrypt. However, client side hashing is by no means a replacement for server-side hashing. If the password is hashed on the client side and uploaded to a password database and stored in that database, logically, the client-side hash becomes the user's password. In the event of a database breach, an attacker doesn't even need to crack the hash - all they have to do is upload said hash, and they can instantly get into any user account. For this reason, client side hashing without any server side hashing is no better than storing passwords in plaintext. That being said, all this would allow an attacker to do is gain access to their Foxverse account - it wouldn't give an attacker the user's actual password. However, it's still a rather large security risk, and one that should be considered and patched. The solution is simple - hash on the server as well as on the client.
Please note that this is not an attempt to kill the project like ninjafox seems to believe it is. I would be ecstatic to get a proper Miiverse replacement. However, password security is something extremely important and I strongly believe that any such Miiverse replacement needs to have strong security. This is simply an attempt at making sure that this happens.
And now, onto the second part of the post: the return of PokeAcer.
At this point, it's fairly common knowledge that PokeAcer cannot be trusted - see my link at the top of the post. He stole and sold an exploit, begged for forgiveness, and then did the same thing again, and stole and leaked an exploit (ugopwn) ahead of time. However, something I had forgotten about myself was that PokeAcer also stole and read private flipnotes, abusing his position as a Project Kaeru administrator. See my quote from the last post:
In short, I cannot, and don't believe anyone should, trust Foxverse, both due to the security issues, and the personnel involved.
[PSA] User "PokeAcer", who stole a developer's exploit and reported it to Nintendo for money has done the same with NbaYoh's Flipnote 3D exploit as well as leaked a DSi exploit called ugopwnAug 5, 2017
TLDR: PokeAcer (who also stole ihaveamac's exploit) stole and reported a new exploit to Nintendo: the yet unreleased Flip Note 3D exploit by MrNbaYoh for userland homebrew on 11.5. The money has already been paid out so it's likely it'll be patched very soon - I highly advice you download it now.
In one of the Flipnote-related Discord chats recently, someone posted a ZIP containing the ugopwn exploit (an exploit for the DSi version of Flip Note), the SHA256 hash matching the one pinned in a certain private Discord server. It became obvious when looking around where it came from - ryanrocks's twitter.
Ryan was asked to take it down, and immediately complied (he also claimed that twitter analytics showed no one saw the tweet, but there's no way to verify that). Around the same time, a GBAtemp thread was posted with the files. At this point, several DCMA requests were filed on the sites to get the files taken down.
The Discord group the files came from only had 8 members, plus it was given to a few people outside of the discord. A total of around 10 people had access to the exploit files, all fairly trustworthy; there was initially no obvious leaker. Everyone was asked to think hard about who might have leaked it and messages were sent out.
Later hints were given that whoever leaked it had posted in the GBAtemp thread. After a bit of thinking we decided to ask PokeAcer (aka Billy Humphreys - this is public information available on his website and Twitter) about it. He eventually admitted to impersonating ryanrocks on Nintendo's HackerOne bug bounty to report this exploit. Eventually, he confessed to stealing the session token of one of the members of the Discord.
He's also admitted to having reported the Flipnote Studio 3D vulnerability to the HackerOne program and recently received a significant amount of money from the report. He's admitted to buying a new Macbook and other accessories with this money.
Additionally, this isn't the first time he's done this. He also reported ihaveamac's browser exploit to Nintendo for a significant amount of money as well, as seen here. Then he had the gall to write an apology post begging for forgiveness saying he'd "apology [for it] until the day [he] dies," then went around and did it again.
Additionally, he says not to judge one of the projects he works on, Project Kaeru (a custom server for Flipnote Studio 3D) as the rest of team doesn't condone his actions, but later on he admitted that he was reading and stealing information from people's notes on the Project Kaeru server.
To sum it up, PokeAcer has stolen three exploits that were not his. Two he reported to Nintendo for profit and one he leaked. He is not to be trusted, and did all this after profusely apologizing for the first time. Please avoid associating and sharing anything sensitive with him unless you want it leaked and/or reported to Nintendo for money.
Until now, this entire post until now has been serious and fact oriented, so allow me to insert some of my opinion here. PokeAcer or Billy, you seem to have some legitimate mental issues. I really hope you get those sorted out, both because you seem like a talented guy, and no one will (or should) trust you right now; but also because I'm seriously concerned about your well being.
Finally screenshots, because no good callout post is complete without proof: http://imgur.com/a/FNUMx
(I'm not the user in any of these screenshots)
EDIT: Archived his twitter, just in case: http://archive.is/JdRwP
DOUBLE EDIT: ihaveamac disclosed the amount that PokeAcer got when he sold his exploit:
[12:21 AM] ihaveahax: the amount was $1,382
Combined with the 2048 dollars from this one, that's a total of 3430 dollars
National Coming Out Day: Jumping on the BandwagonOct 11, 2016
So since apparently today is national coming out day (as anyone who has looked at recent content would know), so I figure that this is as good an opportunity as any to come out.
I'm bisexual. It's not something that I've given much thought to or cared about much, and it's been a relatively minor part of my life, so I don't really know what else to say here.
An Introduction, I supposeAug 25, 2016
So, I've been around for a bit but never really introduced myself, and I've watched a lot of other people make blog entries and stuff and realized I didn't talk much about myself, and figured I should introduce myself a bit.
Athletically, I love to run and ride my bike, and am planning on participating in a half marathon sometime soon. It's something that gets me out of the house and away from my computer.
The 3ds scene was my first scene, and I joined it after I was introduced to a custom theme on the /r/Saber subreddit, and it's all spiraled downhill from there. In the relatively short time I've been involved (I got in near the end of the 10.3 downgrade wave), I think I've done a lot. I moderated the 3dshacks discord and subreddit, but quit due to the constant power struggles and general immaturity of the community. I've gotten involved with a lot of really awesome developers and learned way more than I thought I ever would going in, and learned a lot of programming even for non-3ds related things.
So, uh, I guess that's my introduction. If you want to know anything more about me or my interests, just feel free to ask, I'd love to talk with you guys and get involved with the community here more!