Posts: 4,923
Threads: 196
Joined: Sep 2002
Reputation:
2
FanFiction.Net -- Javascript trojan
10-22-2018, 12:14 PM
https://www.reddit.com/r/FanFiction/comm...es_on_ffn/
TL;DR: Javascript trojan is infecting Fanfiction.net user profiles. Do not open any author's page until you've checked them with a javascript-disabled browser. It tries to use your login to hijack your own author profile bio and pen name.
So far it does not appear to be doing anything to PCs accessing the infected pages beyond this. So far.
Sucrose Octanitrate.
Proof positive that with sufficient motivation, you can make anything explode.
Posts: 1,661
Threads: 36
Joined: Feb 2014
Reputation:
2
RE: FanFiction.Net -- Javascript trojan
10-22-2018, 03:44 PM
Is it safe to use the Pit of Voles if you don't have a user profile there?
Posts: 4,923
Threads: 196
Joined: Sep 2002
Reputation:
2
RE: FanFiction.Net -- Javascript trojan
10-23-2018, 08:15 AM
(10-22-2018, 03:44 PM)Mamorien Wrote: Is it safe to use the Pit of Voles if you don't have a user profile there?
So far as is currently known, all it tries to do is whock your user profile. That does not say that the same trick can't be exploited to try other things.
If you're going straight to a story page, you're fine.
If you're not logged in, you're fine. So far as is known.
Probably the best thing to do is disable javascript for the site.
Sucrose Octanitrate.
Proof positive that with sufficient motivation, you can make anything explode.
Posts: 27,651
Threads: 2,275
Joined: Sep 2002
Reputation:
21
RE: FanFiction.Net -- Javascript trojan
10-23-2018, 11:04 AM
Quote:Probably the best thing to do is disable javascript for the site.
Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site".
-- Bob
I have been Roland, Beowulf, Achilles, Gilgamesh, Clark Kent, Mary Sue, DJ Croft, Skysaber. I have been
called a hundred names and will be called a thousand more before the sun grows dim and cold....
Posts: 4,923
Threads: 196
Joined: Sep 2002
Reputation:
2
RE: FanFiction.Net -- Javascript trojan
10-23-2018, 03:46 PM
Well, if your script-blocker allows you to toggle it on and off easily, then you can just turn it back on when you load a story page.
Sucrose Octanitrate.
Proof positive that with sufficient motivation, you can make anything explode.
Posts: 1,407
Threads: 182
Joined: Mar 2006
Reputation:
2
RE: FanFiction.Net -- Javascript trojan
10-23-2018, 04:29 PM
(10-23-2018, 11:04 AM)Bob Schroeck Wrote: Quote:Probably the best thing to do is disable javascript for the site.
Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site".
m.fanfiction.net
Your solution to annoying formatting problems. Just swap www to m and back.
Posts: 2,651
Threads: 176
Joined: Apr 2008
Reputation:
3
RE: FanFiction.Net -- Javascript trojan
10-24-2018, 07:35 AM
That noise you're hearing is Sofaspud laughing himself sick over this.
Posts: 27,651
Threads: 2,275
Joined: Sep 2002
Reputation:
21
RE: FanFiction.Net -- Javascript trojan
10-24-2018, 11:51 AM
(This post was last modified: 10-24-2018, 11:51 AM by Bob Schroeck.)
I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account. Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it. The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value.
-- Bob
I have been Roland, Beowulf, Achilles, Gilgamesh, Clark Kent, Mary Sue, DJ Croft, Skysaber. I have been
called a hundred names and will be called a thousand more before the sun grows dim and cold....
Posts: 2,072
Threads: 62
Joined: May 2006
Reputation:
0
RE: FanFiction.Net -- Javascript trojan
10-28-2018, 09:45 PM
So, has there been any sign that someone's going to get on the stick about this? Because so far I can't find anything.
-Morgan.
Some people have Worm SIs with phenomenal cosmic power.
My Worm SI is Emma and Madison's therapist.
Posts: 427
Threads: 34
Joined: Apr 2007
Reputation:
0
RE: FanFiction.Net -- Javascript trojan
10-28-2018, 11:43 PM
(This post was last modified: 10-28-2018, 11:45 PM by LilFluff.)
(10-24-2018, 11:51 AM)Bob Schroeck Wrote: I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account. Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it. The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value.
I don't recall what it was that happened the last time I thought about signing up for FFN, but I recall about two years ago I almost signed up and then something made me stop. That's also been why to the confusion of some of my family who respond with, "But you're a techie, what do you mean you don't have a Facebook account?!", I to this day don't have a Facebook account. Every time I even start to consider it they either have one of their regularly sheduled massive privacy/security breaks or pull a stupid management move.
Does FFN even really have anything going for it beyond sheer size and having snagged an obvious web address? Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?" (Which since some use FA as a source of income by using it as a portfolio to attract clients for commissions means giving up the largest online site would hurt...)
Will the transhumanist future have catgirls? Does Japan still exist? Well, there is your answer.
Posts: 25,651
Threads: 2,064
Joined: Feb 2005
Reputation:
12
RE: FanFiction.Net -- Javascript trojan
10-29-2018, 07:27 AM
(10-28-2018, 11:43 PM)LilFluff Wrote: Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?"
Which is how AOL has survived for so long.
Less snarkily, nobody remains the biggest forever.
--
Rob Kelk
Sticks and stones can break your bones,
But words can break your heart.
- unknown
Posts: 1,407
Threads: 182
Joined: Mar 2006
Reputation:
2
RE: FanFiction.Net -- Javascript trojan
10-30-2018, 07:12 AM
(10-29-2018, 07:27 AM)robkelk Wrote: (10-28-2018, 11:43 PM)LilFluff Wrote: Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?"
Which is how AOL has survived for so long.
Less snarkily, nobody remains the biggest forever.
Yeah, about a third of the new fanfic I read is on AOOO or Twisting the Hellmouth now. A third is Spacebattles/Sufficient Velocity. A third is fanfiction.net.
The latter is shrinking over time.
Posts: 4,923
Threads: 196
Joined: Sep 2002
Reputation:
2
RE: FanFiction.Net -- Javascript trojan
10-30-2018, 08:08 AM
FFNet has the advantage of being the only archive for a lot of older fic, and is - or was - good for trawling around and looking for fics (mostly from the favorites pages of trusted writers, I'll admit)...
Sucrose Octanitrate.
Proof positive that with sufficient motivation, you can make anything explode.
Posts: 3,716
Threads: 95
Joined: May 2012
Reputation:
9
RE: FanFiction.Net -- Javascript trojan
10-30-2018, 01:27 PM
If this is still going on, it's time to write a trojan to expose personal information of people on FF.net. If they can't filter out JS in a week, they deserve some GFDR fines.
"Kitto daijoubu da yo." - Sakura Kinomoto
Posts: 7,689
Threads: 67
Joined: Jun 2007
Reputation:
1
RE: FanFiction.Net -- Javascript trojan
10-30-2018, 05:53 PM
(This post was last modified: 10-30-2018, 05:54 PM by Shepherd.)
According to their Twitter feed ( https://twitter.com/FICTIONPRESS):
Oct. 24 - We are currently working to prevent the mix of automated bots and social engineering to exploits a security hole which may allow user to self trigger an account modification without visual consent. We will update frequently as the fix is continuing to be applied.
Oct. 24 - We have plugged the current known attack vector which combined csrf attacks with a html injection bug within the user profile page when access via a web browser. App users are not effected. A security review of the entire system is underway.
Does this mean they've patched the problem?
“I really hope I’m behind this convoluted mess; at least that way I’ll be able to get revenge by doing this to myself. I won’t even have to feel bad because it’ll be all my fault.” - Harry Potter, The Master of Death by Ryuugi.
Posts: 3,716
Threads: 95
Joined: May 2012
Reputation:
9
RE: FanFiction.Net -- Javascript trojan
10-31-2018, 02:41 AM
Maybe? I didn't look at it, was it something like an iframe embedded in the page, that used some JS? If it really was a CSRF bug, I'm not too surprised they missed it, though I have the same level of dismay. I just had a discussion at work about how this is one of the hardest security issues to understand. To wit, a couple months back I had to convince Apple that no, there was not a CSRF vector in our application, despite what their security team was saying.
"Kitto daijoubu da yo." - Sakura Kinomoto
|