Toggle sidebar

Homebrew The All New 3DSThemes.com Huge Site Update! ツ

  • Thread starter Thread starter DoJo_Master
  • Start date Start date
  • Views Views 173,048
  • Replies Replies 1,185
  • Likes Likes 19
Pretty understandable i think, the devs probably trusted everyone to not abuse their site and gave functionality a bigger priority then security.
Some people said some rude stuff and i just wanted to say to them that they are idiots.
People that put so much effort in this community do not deserve to be treated like that.
And those who say that they are idiots, please share use one of your highly visited unhackable sites, and lets see how secure it really is ;)
 
  • Like
Reactions: WhoAmI?
Tjessx said:
Pretty understandable i think, the devs probably trusted everyone to not abuse their site and gave functionality a bigger priority then security.
Click to expand...

Lesson 1 of network security: User input is untrusted and bad.

Avoiding SQL injections with prepared statements and the like, the way PDO would've offered, is trivial. Then again, you can't expect too much from people who still use MySQL as their database of choice and hook the website up with the MySQL root user.
 
  • Like
Reactions: Deleted User and Arubaro
We know there is currently a security breach with our site, and we would like to let you know, that we are working tirelessly to fix this. We are deeply sorry for the inconvenience, and our site should be online again once we have solved it.
 
  • Like
Reactions: WhoAmI? and JJTapia19
GotKrypto67 said:
We know there is currently a security breach with our site, and we would like to let you know, that we are working tirelessly to fix this. We are deeply sorry for the inconvenience, and our site should be online again once we have solved it.
Click to expand...
In all seriousness now, might I suggest hiring an intern or someone to help educate the programmers on web application security? SQLi is really just the 101, there's more to consider (OWASP might be a good starting point), you'll definitely want to check this out now that you've established that, indeed, parts of your userbase are malicious and will abuse any and all flaws in your software.

EDIT: Hell, there's a guy volunteering right below this post. No need to expensively hire anyone if Tjessx knows his stuff.
 
Last edited by Suiginou,
  • Like
Reactions: WhoAmI?, xfade59691, Deleted User and 1 other person
Suiginou said:
Lesson 1 of network security: User input is untrusted and bad.

Avoiding SQL injections with prepared statements and the like, the way PDO would've offered, is trivial. Then again, you can't expect too much from people who still use MySQL as their database of choice and hook the website up with the MySQL root user.
Click to expand...
There is nothing wrong with MySQL, and i chose it above every other database type (however PostgreSQL is nice too :D)

--------------------- MERGED ---------------------------

GotKrypto67 said:
We know there is currently a security breach with our site, and we would like to let you know, that we are working tirelessly to fix this. We are deeply sorry for the inconvenience, and our site should be online again once we have solved it.
Click to expand...
If you need any help finding other unprotected parts, i've got some time :D
 
  • Like
Reactions: Deleted User, Suiginou and Deleted User
Suiginou said:
In all seriousness now, might I suggest hiring an intern or someone to help educate the programmers on web application security? SQLi is really just the 101, there's more to consider (OWASP might be a good starting point), you'll definitely want to check this out now that you've established that, indeed, parts of your userbase are malicious and will abuse any and all flaws in your software.
Click to expand...
Staff changes will be made, yes.


---------

I ask you all to be understanding while we deal with this, and make sure that no to minimal data was leaked. I would like to assure everyone that your passwords were hashed/encrypted, and that they were not stored in an insecure way.

More updates to come
 
Last edited by ,
  • Like
Reactions: WhoAmI? and Deleted User
PokeAcer said:
You can apply for Let's Encrypt right now :D
Click to expand...
We were using StartSSL, with plans to upgrade to a paid certificate in the coming month after google paid out. Unfortunately, sometimes things like this get in the way, so until we fix the security hole and find the perpetrator, we will not be doing further upgrades (Obviously).
 
  • Like
Reactions: Deleted User
Tjessx said:
Give me 5 minutes with it ;)
Click to expand...
I doubt you can "find the perpetrator" in 5 minutes. I'm assuming @GotKrypto67 is considering legal action; locating someone isn't that easy. You'd probably need to notify the police, who may start a criminal procedure, from which you may then learn the identity of the perpetrator and only then you can sue for damages.
 
Suiginou said:
I doubt you can "find the perpetrator" in 5 minutes. I'm assuming @GotKrypto67 is considering legal action; locating someone isn't that easy. You'd probably need to notify the police, who may start a criminal procedure, from which you may then learn the identity of the perpetrator and only then you can sue for damages.
Click to expand...
But finding the information to find the attacker is pretty easy. And from there, you email the ISP quoting the criminal damage and then go from there. If done by proxy, hope they keep logs. If done by TOR, you're out of luck.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Homebrew Homebrew app  [Release] GridLauncher Rosalina

Homebrew  My Secret World DS: is there a way to bypass the password lock?

please help, wont boot

Hardware  I Have 2 THQ Dev Kit 3DSes (Panda), Need Help On Preserving What’s Inside