• Members of the previous forum can retrieve their temporary password here, (login and check your PM).

DATA BREACH

Migrated topic.
The Traveler

The Traveler

The Moxylator
Staff member
Admin
Moderator
Donator
Administrator
Joined
Jan 19, 2007
Messages
7,260
Merits
1,927
Dear members,

On Juli 18th I was informed by member 0gTryptamine about a vulnerability on the forum.

Via the [Members] section it was possible to enter SQL-injection text. Simply stated SQL-injection can be used to enter a malicious query into the database that can alter or retrieve data.


WHAT PERSONAL DATA WAS AVAILABLE?

Personal data that could be retrieved is the following:
* Email-address
* Password

This data was stored in the database with the following methods:

* Email-address:
AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database.
* Password:
Hashing through scrypt followed by AES256 encryption where the encryption takes place outside the DMT-nexus, so no encryption key is stored in our database.


RESOLVED

After being informed about this vulnerability, it was resolved on the same day.


WAS THIS VULNERABILITY ACTIVELY USED?

At this moment is is not clear if anyone actively used this vulnerability.


WHAT TO DO NOW?

For now it is best to change your password, please use a strong password that you do not use anywhere else.


MORE INFORMATION

If you need more information you can reach me via this topic, send me a PM on the forum or send an email to info@dmt-nexus.me


Kind regards,

The Traveler
 
Homo Trypens said:
Do i understand correctly that unless they also had access to the AES256 encryption key, an attacker could not get the email address in readable form?
Click to expand...
The amount of possible keys to test is 2^256.

With current and near future technology (including quantum computers) this is near impossible to perform in any reasonable time.


Kind regards,

The Traveler
 
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though most of that means little, trav having the backend covered as he does:

The Traveler said:
The amount of possible keys to test is 2^256.
Click to expand...
 
tatt said:
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day:

The Traveler said:
The amount of possible keys to test is 2^256.
Click to expand...
Click to expand...
Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information.

As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries.

In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place.

Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection.


Kind regards,

The Traveler
 
The Traveler said:
tatt said:
I'd think most of these sorts of queries are scrubbed from the various inputs/fields [sql, xss, etc]. Though none of this really means too much of anything at the end of the day:

The Traveler said:
The amount of possible keys to test is 2^256.
Click to expand...
Click to expand...
Security is all about layers of protection. The idea is that if one layer is breached, other layers will still stop the spreading of personal information.

As such having your sensitive data encrypted is an important layer. Having good input sanitation is another one, as is strongly typed parameters in queries.

In this case, two protection layers were not correctly implemented with that input field (input sanitation and strongly typed parameters were not implemented), thankfully we have that encryption layer in place.

Another interesting thing is that the encryption/decryption of the data is not done on the DMT-Nexus site itself and as such the DMT-Nexus does not know the encryption key at all, it is not available in the site code and neither in the database. That is another example of layered protection.


Kind regards,

The Traveler
Click to expand...

Well said Trav :thumb_up:
 
thank you traveler and 0gTryptamine for informing us :love:

this should not be a problem if people are smart about their sign up method. use burner emails and no reusing passwords. if you stick to those rules you can hand out your email and password openly and it does not really matter, worst case is you have to set up another nexus account.

sounds to me like it is an extremely low risk vulnerability anyway, but a risk nonetheless, so thank you for pointing it out 0gTryptamine.
 
Thanks for the info, I've updated mine as well.
 

Similar threads

The Traveler
Site New moderator: blig-blug!
Replies
19
Views
545
hugfortysix
H
N
  • Locked
DMT-nexus moderator accused by nytimes
3 4 5
Replies
92
Views
8K
Voidmatrix
Voidmatrix
M
Ideal time to wait between dmt trips. And tolerance build up.
Replies
2
Views
666
Mizzo79
M
The Traveler
Site Upgraded: Known Bots
Replies
0
Views
125
The Traveler
The Traveler
The Traveler
Site New functionality: Logout all device
Replies
2
Views
171
The Traveler
The Traveler
Back
Top Bottom