https://www.reddit.com/r/FanFiction/comm...es_on_ffn/
TL;DR: Javascript trojan is infecting Fanfiction.net user profiles. Do not open any author's page until you've checked them with a javascript-disabled browser. It tries to use your login to hijack your own author profile bio and pen name.
So far it does not appear to be doing anything to PCs accessing the infected pages beyond this. So far.
Is it safe to use the Pit of Voles if you don't have a user profile there?
(10-22-2018, 03:44 PM)Mamorien Wrote: [ -> ]Is it safe to use the Pit of Voles if you don't have a user profile there?
So far as is currently known, all it tries to do is whock your user profile. That does not say that the same trick can't be exploited to try other things.
If you're going straight to a story page, you're fine.
If you're not logged in, you're fine. So far as is known.
Probably the best thing to do is disable javascript for the site.
Quote:Probably the best thing to do is disable javascript for the site.
Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site".
Well, if your script-blocker allows you to toggle it on and off easily, then you can just turn it back on when you load a story page.
(10-23-2018, 11:04 AM)Bob Schroeck Wrote: [ -> ]Quote:Probably the best thing to do is disable javascript for the site.
Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site".
m.fanfiction.net
Your solution to annoying formatting problems. Just swap www to m and back.
That noise you're hearing is Sofaspud laughing himself sick over this.
I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account. Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it. The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value.
So, has there been any sign that someone's going to get on the stick about this? Because so far I can't find anything.
-Morgan.
(10-24-2018, 11:51 AM)Bob Schroeck Wrote: [ -> ]I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account. Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it. The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value.
I don't recall what it was that happened the last time I thought about signing up for FFN, but I recall about two years ago I almost signed up and then something made me stop. That's also been why to the confusion of some of my family who respond with, "But you're a techie, what do you mean you don't have a Facebook account?!", I to this day don't have a Facebook account. Every time I even start to consider it they either have one of their regularly sheduled massive privacy/security breaks or pull a stupid management move.
Does FFN even really have anything going for it beyond sheer size and having snagged an obvious web address? Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?" (Which since some use FA as a source of income by using it as a portfolio to attract clients for commissions means giving up the largest online site would
hurt...)
(10-28-2018, 11:43 PM)LilFluff Wrote: [ -> ]Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?"
Which is how AOL has survived for so long.
Less snarkily, nobody remains the biggest forever.
(10-29-2018, 07:27 AM)robkelk Wrote: [ -> ] (10-28-2018, 11:43 PM)LilFluff Wrote: [ -> ]Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?"
Which is how AOL has survived for so long.
Less snarkily, nobody remains the biggest forever.
Yeah, about a third of the new fanfic I read is on AOOO or Twisting the Hellmouth now. A third is Spacebattles/Sufficient Velocity. A third is fanfiction.net.
The latter is shrinking over time.
FFNet has the advantage of being the only archive for a lot of older fic, and is - or was - good for trawling around and looking for fics (mostly from the favorites pages of trusted writers, I'll admit)...
If this is still going on, it's time to write a trojan to expose personal information of people on FF.net. If they can't filter out JS in a week, they deserve some GFDR fines.
According to their Twitter feed (
https://twitter.com/FICTIONPRESS):
Oct. 24 - We are currently working to prevent the mix of automated bots and social engineering to exploits a security hole which may allow user to self trigger an account modification without visual consent. We will update frequently as the fix is continuing to be applied.
Oct. 24 - We have plugged the current known attack vector which combined csrf attacks with a html injection bug within the user profile page when access via a web browser. App users are not effected. A security review of the entire system is underway.
Does this mean they've patched the problem?
Maybe? I didn't look at it, was it something like an iframe embedded in the page, that used some JS? If it really was a
CSRF bug, I'm not too surprised they missed it, though I have the same level of dismay. I just had a discussion at work about how this is one of the hardest security issues to understand. To wit, a couple months back I had to convince Apple that no, there was not a CSRF vector in our application, despite what their security team was saying.