General Discussion

General DiscussionForum Incident of Sep 18

Forum Incident of Sep 18 in General Discussion
Camcorder

    Hi everyone,

    Earlier today someone created a forum topic containing malicious code. They used an exploit in the BBCode library we were using to provide things like image-embedding on the forums, embedding Javascript that took action on the part of the user by creating a swarm of forum threads. We take things like this very seriously and I wanted to take a moment to explain some of the details behind the attack and how we've responded so far:

    - The original posts containing the exploit were made about 6 hours ago. It took us a bit too long to notice the issue. We're primarily based in the US and the post was created in off-hours. We're working to address this through adding moderators to the forums to make sure things run smoothly at all times of day.

    - BBCode has been temporarily disabled to prevent the issue from happening again. We plan to work up a bug fix, including very specific tests to make sure that this kind of thing can't sneak through again, and enable it once we're confident in the fix.

    To put your mind at ease, we've also taken extra precautions to make sure your account is secure:

    - There's a chance that the user may have tried to extract cookies from users who "triggered" the exploit. Out of an abundance of caution, we've invalidated user sessions for anyone who might have visited Dotabuff during the period where the exploit was active. If there's even the slightest chance that your session information may have leaked, you'll have automatically been signed out and will need to sign in again.

    - We've audited user logs and have not found any instance where the attacker gained escalated privileges.

    - We have no reason to believe that any of your personal information (such as steam account details, name, credit card, etc) were available. In fact, we don't store this information for exactly this reason: we don't need or want it, and we don't want to expose anyone to unnecessary risk.

    I'm happy to answer any questions you may have.

    Trodlabundin

      Thanks for responding. Hope my information is secure as you state. Can you please.. Just please do me a little favor.. Post a pic of yourself!

      Este comentário foi editado
      Camcorder

        I would but the BBCode is broken so no images. Best I can do is an emoji:

        :techies:

        Este comentário foi editado
        Riguma Borusu
          Este comentário foi excluído
          Trodlabundin

            thanks guys I finally got offfff..... Ma boys <3

            Socram

              People who took my advice and deactivated JavaScript in their browser for Dotabuff or even all sites can now reactivate it.
              DB actually uses harmless JavaScript for calculating times like "5 minutes ago" and potentially more functions of the site.

              King of Low Prio

                Free dotabuff plus would help me sleep better at night knowing that all my valuables where compromised :)

                waku waku

                  Free dotabuff plus would help me sleep better at night knowing that all my valuables were compromised :)

                  Este comentário foi editado
                  Rocket

                    nice of you to post. cheers

                    Yoshi

                      Thanks for the info Jason, appreciate the post.
                      Keep up the good work

                      EDIT:
                      Had no idea you play wow :)

                      Este comentário foi editado
                      Trodlabundin

                        Trodlabundin

                          G_g

                          King of Low Prio

                            WoW became pure autism after BC after they started locking my accounts for using bot leveling.

                            Este comentário foi editado
                            lm ao

                              Jason O.O

                              Miku Plays

                                techies

                                Giff me Wingman

                                  Well, do you have an estimate when the BB code will return? ;_;

                                  Mokujin
                                    Este comentário foi editado
                                    the realm's delight

                                      ༼ つ ◕_◕ ༽つ Give bbcode ༼ つ ◕_◕ ༽つ

                                      lm ao

                                        ༼ つ ◕_◕ ༽つ Give Dotabuff Plus ༼ つ ◕_◕ ༽つ

                                        BenaoLifedancer

                                          ༼ つ ◕_◕ ༽つ Give Dotabuff Plus ༼ つ ◕_◕ ༽つ

                                          ps. no wonder i found it strange i was logged out...any known (somewhat) user that posted the malicious content?

                                          Mandalorian

                                            ༼ つ ◕_◕ ༽つ Give Dotabuff Plus ༼ つ ◕_◕ ༽つ

                                            King of Low Prio

                                              I dont wanna cause any panic but I am pretty sure we all got hacked due to dotabuffs lack of due diligence

                                              only rational compensation is

                                              ༼ つ ◕_◕ ༽つ Give Dotabuff Plus ༼ つ ◕_◕ ༽つ

                                              BenaoLifedancer

                                                ^

                                                and a video of @jason pwning @lawliepop for fuckign around with the forums last time and banning multiple people (3x times me)

                                                Este comentário foi editado
                                                BenaoLifedancer

                                                  1v1 mid unvouch for a month^