Diaries
Everything
Who's Online?
FAQ / Help

Print Story Hi peeps
Scoop
By hulver (Thu Jun 15, 2006 at 05:54:33 AM EST) scoop, javascript, security, exploit, hole big enough to fit an ocean liner through (all tags)
I've had to turn off the ability to edit your own story for a while.

Update [2006-6-15 8:47:32 by hulver]: Important information about passwords inside.


I should have posted this to the scoop-dev mailing list first really, but I've been sat on this for a while.

After k5 got hacked I don't want to take any chance. Hopefully I'll get this fixed tonight and turn the settings back on.

Passwords

The scoop method of storing passwords is horribly weak. It's entirely possible to brute force every password < 6 characters within a couple of days. You could search the entire 8 character (yes, it only stores 8 characters of your password) password space in a couple of months. Less on a faster computer. A dictionary search could be done in a couple of hours.
So, if you use the same password for k5 anywhere else, I suggest you change it. I don't know if whoever hacked k5 took a dump of the user database, but seeing as they had access to it to at least run "UPDATE USERS SET perm_group = 'Superuser'" it's a possibility.

Full discussion: http://www.hulver.com/scoop/story/2006/6/15/55433/0518

Powered by Scoop   
 
All trademarks and copyrights on this page are owned by their respective companies. Comments and Stories are owned by the Poster and Licensed to "Hulver's site". See our Copyright page for more information.
faq | help | accounts