We do often include affiliate links to earn us some pennies. See more here.

A note about security after a possible security issue was discovered

By - | Views: 17,492
Note: Any new updates will be added to the bottom of the article.

Tonight my family time was interrupted by notifications that a possible security issue had been discovered in our code. This is a full disclosure to let you know what happened.

A user in our IRC made an issue with our article tag searching system public without informing us in private first leading me to jump to the computer to fix it.

I fixed it within ~20 minutes of being personally told about it and it's extremely doubtful it will cause any actual issues.

In future I would appreciate being told in private about any possible security issues. It's standard procedure to notify people in private to give them time to fix it. Putting it out in public right away, to be blunt, is a completely irresponsible thing to do. Luckily, we aren't a bank or anything that stores any sensitive information.

For the record: We do use strong encryption on passwords and salts, so there shouldn't be any need to worry about that! With that said, please remember never to share passwords across any website, ever. I'm sure I don't need to tell you that anyway, but it's always good to have a reminder on it.

Essentially, they were able to see some random session information. We do not store anything sensitive in sessions. We do not store your password, email or anything like that in sessions.

We have a good track record when it comes to security issues. In our entire history a total of 4 have ever been found. All of which were fixed within an hour of being notified, this was a special case as we were not told about it privately.

If people do discover security issues and notify me in private allowing me a decent amount of time to fix it, then there may possibly be rewards for those who discover them.

Moving forward, I will be double checking all possible user input for similar issues. So far, I haven't found any other issues. Rest assured, it will be learnt from and hopefully this will not happen again. If it does, you can be sure I will always notify you and always look to fix it ASAP.

All fun and games eh?

Thank you for your support!

Update: Please see this comment about additional security measures I have now implemented. Article taken from GamingOnLinux.com.
Tags: Site Info
15 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. Find me on Mastodon.
See more from me
The comments on this article are closed.
25 comments
Page: «2/3»
  Go to:

MayeulC Jan 25, 2017
liam, I just had an issue with the notification system. When I click on the notifications shortcut, I got:

QuoteSystem Message
Not a valid module name!

This seems to be solved now. Maybe it was down due to some update?
Liam Dawe Jan 25, 2017
Yeah sorry, minor update you must have loaded in-between.
lagh Jan 25, 2017
Thank you for your quick response and, of course, your openness about this issue
towards your users. That alone makes me feel comfortably safe.
Keep up the good work!

Regards

lagh
Guest Jan 25, 2017
Posting a vulnerability publicly, aah What a douchey thing to do. Thanks for being open and
(sometimes brutally) honest.


Last edited by on 25 January 2017 at 11:18 pm UTC
logge Jan 26, 2017
Thank you for the full disclosure.
PlutonMaster Jan 26, 2017
Good to know. Also I've changed my password.
buenaventura Jan 26, 2017
Great work Liam! It must be quite stressful to run a site like this - after all, you have a lot of people counting on you to keep the security tight.
Eike Jan 26, 2017
View PC info
  • Supporter Plus
While disclosing security concerns publicly without having communicated privatly before is obviously not the optimal thing to do, it's still probable that the guy on IRC made the website more safe, not more unsafe.
Eike Jan 26, 2017
View PC info
  • Supporter Plus
Quoting: Guest
Quoting: EikeWhile disclosing security concerns publicly without having communicated privatly before is obviously not the optimal thing to do, it's still probable that the guy on IRC made the website more safe, not more unsafe.
I’ll go light a fire in your wood house so then you’ll thank me for having shown you that is was not safe, eh?

This analogy totally makes sense...
... if you show me without destroying anything (probably) and I can fix it withing half an hour.
Liam Dawe Jan 26, 2017
Quoting: Guest
Quoting: EikeWhile disclosing security concerns publicly without having communicated privatly before is obviously not the optimal thing to do, it's still probable that the guy on IRC made the website more safe, not more unsafe.
I’ll go light a fire in your wood house so then you’ll thank me for having shown you that is was not safe, eh?
It's more like giving a lit match to someone next to petrol :P
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.