Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
FanFiction.Net -- Javascript trojan
FanFiction.Net -- Javascript trojan
#1
https://www.reddit.com/r/FanFiction/comm...es_on_ffn/


TL;DR: Javascript trojan is infecting Fanfiction.net user profiles. Do not open any author's page until you've checked them with a javascript-disabled browser. It tries to use your login to hijack your own author profile bio and pen name.

So far it does not appear to be doing anything to PCs accessing the infected pages beyond this. So far.
Sucrose Octanitrate.

Proof positive that with sufficient motivation, you can make anything explode.
Reply
RE: FanFiction.Net -- Javascript trojan
#2
Is it safe to use the Pit of Voles if you don't have a user profile there?
Reply
RE: FanFiction.Net -- Javascript trojan
#3
(10-22-2018, 03:44 PM)Mamorien Wrote: Is it safe to use the Pit of Voles if you don't have a user profile there?

So far as is currently known, all it tries to do is whock your user profile. That does not say that the same trick can't be exploited to try other things.

If you're going straight to a story page, you're fine.

If you're not logged in, you're fine. So far as is known.

Probably the best thing to do is disable javascript for the site.
Sucrose Octanitrate.

Proof positive that with sufficient motivation, you can make anything explode.
Reply
RE: FanFiction.Net -- Javascript trojan
#4
Quote:Probably the best thing to do is disable javascript for the site.
Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site".
-- Bob

I have been Roland, Beowulf, Achilles, Gilgamesh, Clark Kent, Mary Sue, DJ Croft, Skysaber.  I have been 
called a hundred names and will be called a thousand more before the sun grows dim and cold....
Reply
RE: FanFiction.Net -- Javascript trojan
#5
Well, if your script-blocker allows you to toggle it on and off easily, then you can just turn it back on when you load a story page.
Sucrose Octanitrate.

Proof positive that with sufficient motivation, you can make anything explode.
Reply
RE: FanFiction.Net -- Javascript trojan
#6
(10-23-2018, 11:04 AM)Bob Schroeck Wrote:
Quote:Probably the best thing to do is disable javascript for the site.
Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site".

m.fanfiction.net

Your solution to annoying formatting problems. Just swap www to m and back.
Reply
RE: FanFiction.Net -- Javascript trojan
#7
That noise you're hearing is Sofaspud laughing himself sick over this.
Reply
RE: FanFiction.Net -- Javascript trojan
#8
I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account. Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it. The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value.
-- Bob

I have been Roland, Beowulf, Achilles, Gilgamesh, Clark Kent, Mary Sue, DJ Croft, Skysaber.  I have been 
called a hundred names and will be called a thousand more before the sun grows dim and cold....
Reply
RE: FanFiction.Net -- Javascript trojan
#9
So, has there been any sign that someone's going to get on the stick about this? Because so far I can't find anything.

-Morgan.
Some people have Worm SIs with phenomenal cosmic power.
My Worm SI is Emma and Madison's therapist.
Reply
RE: FanFiction.Net -- Javascript trojan
#10
(10-24-2018, 11:51 AM)Bob Schroeck Wrote: I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account.  Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it.  The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value.

I don't recall what it was that happened the last time I thought about signing up for FFN, but I recall about two years ago I almost signed up and then something made me stop. That's also been why to the confusion of some of my family who respond with, "But you're a techie, what do you mean you don't have a Facebook account?!", I to this day don't have a Facebook account. Every time I even start to consider it they either have one of their regularly sheduled massive privacy/security breaks or pull a stupid management move.

Does FFN even really have anything going for it beyond sheer size and having snagged an obvious web address? Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?" (Which since some use FA as a source of income by using it as a portfolio to attract clients for commissions means giving up the largest online site would hurt...)
Will the transhumanist future have catgirls? Does Japan still exist? Well, there is your answer.
Reply
RE: FanFiction.Net -- Javascript trojan
#11
(10-28-2018, 11:43 PM)LilFluff Wrote: Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?"

Which is how AOL has survived for so long.

Less snarkily, nobody remains the biggest forever.
--
Rob Kelk

Sticks and stones can break your bones,
But words can break your heart.
- unknown
Reply
RE: FanFiction.Net -- Javascript trojan
#12
(10-29-2018, 07:27 AM)robkelk Wrote:
(10-28-2018, 11:43 PM)LilFluff Wrote: Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?"

Which is how AOL has survived for so long.

Less snarkily, nobody remains the biggest forever.

Yeah, about a third of the new fanfic I read is on AOOO or Twisting the Hellmouth now. A third is Spacebattles/Sufficient Velocity. A third is fanfiction.net.

The latter is shrinking over time.
Reply
RE: FanFiction.Net -- Javascript trojan
#13
FFNet has the advantage of being the only archive for a lot of older fic, and is - or was - good for trawling around and looking for fics (mostly from the favorites pages of trusted writers, I'll admit)...
Sucrose Octanitrate.

Proof positive that with sufficient motivation, you can make anything explode.
Reply
RE: FanFiction.Net -- Javascript trojan
#14
If this is still going on, it's time to write a trojan to expose personal information of people on FF.net. If they can't filter out JS in a week, they deserve some GFDR fines.
"Kitto daijoubu da yo." - Sakura Kinomoto
Reply
RE: FanFiction.Net -- Javascript trojan
#15
According to their Twitter feed (https://twitter.com/FICTIONPRESS):

Oct. 24 - We are currently working to prevent the mix of automated bots and social engineering to exploits a security hole which may allow user to self trigger an account modification without visual consent. We will update frequently as the fix is continuing to be applied.

Oct. 24 - We have plugged the current known attack vector which combined csrf attacks with a html injection bug within the user profile page when access via a web browser. App users are not effected. A security review of the entire system is underway.

Does this mean they've patched the problem?
“I really hope I’m behind this convoluted mess; at least that way I’ll be able to get revenge by doing this to myself. I won’t even have to feel bad because it’ll be all my fault.” - Harry Potter, The Master of Death by Ryuugi.
Reply
RE: FanFiction.Net -- Javascript trojan
#16
Maybe?  I didn't look at it, was it something like an iframe embedded in the page, that used some JS?  If it really was a CSRF bug, I'm not too surprised they missed it, though I have the same level of dismay.  I just had a discussion at work about how this is one of the hardest security issues to understand.  To wit, a couple months back I had to convince Apple that no, there was not a CSRF vector in our application, despite what their security team was saying.
"Kitto daijoubu da yo." - Sakura Kinomoto
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)