|  | 
| FanFiction.Net -- Javascript trojan - Printable Version +- Drunkard's Walk Forums (http://www.accessdenied-rms.net/forums) +-- Forum: General (http://www.accessdenied-rms.net/forums/forumdisplay.php?fid=1) +--- Forum: General Chatter (http://www.accessdenied-rms.net/forums/forumdisplay.php?fid=2) +--- Thread: FanFiction.Net -- Javascript trojan (/showthread.php?tid=13125) | 
| FanFiction.Net -- Javascript trojan - ECSNorway - 10-22-2018 https://www.reddit.com/r/FanFiction/comments/9q5gob/alert_do_not_check_any_user_profiles_on_ffn/ TL;DR: Javascript trojan is infecting Fanfiction.net user profiles. Do not open any author's page until you've checked them with a javascript-disabled browser. It tries to use your login to hijack your own author profile bio and pen name. So far it does not appear to be doing anything to PCs accessing the infected pages beyond this. So far. RE: FanFiction.Net -- Javascript trojan - Mamorien - 10-22-2018 Is it safe to use the Pit of Voles if you don't have a user profile there? RE: FanFiction.Net -- Javascript trojan - ECSNorway - 10-23-2018 (10-22-2018, 03:44 PM)Mamorien Wrote: Is it safe to use the Pit of Voles if you don't have a user profile there? So far as is currently known, all it tries to do is whock your user profile. That does not say that the same trick can't be exploited to try other things. If you're going straight to a story page, you're fine. If you're not logged in, you're fine. So far as is known. Probably the best thing to do is disable javascript for the site. RE: FanFiction.Net -- Javascript trojan - Bob Schroeck - 10-23-2018 Quote:Probably the best thing to do is disable javascript for the site.Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site". RE: FanFiction.Net -- Javascript trojan - ECSNorway - 10-23-2018 Well, if your script-blocker allows you to toggle it on and off easily, then you can just turn it back on when you load a story page. RE: FanFiction.Net -- Javascript trojan - Epsilon - 10-23-2018 (10-23-2018, 11:04 AM)Bob Schroeck Wrote:Quote:Probably the best thing to do is disable javascript for the site.Which while it turns off much of the annoying stuff that ff.net does with scripting in its story pages (like disabling copy-to-clipboard), forces the text style to centered, which I find to be juvenile sour grapes on their part -- "if you won't let us control your reading experience, we're going to make it as hard as possible for you to enjoy the site". m.fanfiction.net Your solution to annoying formatting problems. Just swap www to m and back. RE: FanFiction.Net -- Javascript trojan - Matrix Dragon - 10-24-2018 That noise you're hearing is Sofaspud laughing himself sick over this. RE: FanFiction.Net -- Javascript trojan - Bob Schroeck - 10-24-2018 I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account. Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it. The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value. RE: FanFiction.Net -- Javascript trojan - Morganite - 10-28-2018 So, has there been any sign that someone's going to get on the stick about this? Because so far I can't find anything. -Morgan. RE: FanFiction.Net -- Javascript trojan - LilFluff - 10-28-2018 (10-24-2018, 11:51 AM)Bob Schroeck Wrote: I should note for irony's sake that just a week ago I was having one of my irregular bouts of considering whether it was a good idea to finally get a ff.net account. Every other time I seriously considered this, something happened (ff.net's admins being jerks about something, usually) that convinced me not to do it. The earthshaking synchronicity of yet another good reason not to get an account there appearing within days of the question resurfacing in my mind is not without its amusement value. I don't recall what it was that happened the last time I thought about signing up for FFN, but I recall about two years ago I almost signed up and then something made me stop. That's also been why to the confusion of some of my family who respond with, "But you're a techie, what do you mean you don't have a Facebook account?!", I to this day don't have a Facebook account. Every time I even start to consider it they either have one of their regularly sheduled massive privacy/security breaks or pull a stupid management move. Does FFN even really have anything going for it beyond sheer size and having snagged an obvious web address? Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?" (Which since some use FA as a source of income by using it as a portfolio to attract clients for commissions means giving up the largest online site would hurt...) RE: FanFiction.Net -- Javascript trojan - robkelk - 10-29-2018 (10-28-2018, 11:43 PM)LilFluff Wrote: Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?" Which is how AOL has survived for so long. Less snarkily, nobody remains the biggest forever. RE: FanFiction.Net -- Javascript trojan - Epsilon - 10-30-2018 (10-29-2018, 07:27 AM)robkelk Wrote:(10-28-2018, 11:43 PM)LilFluff Wrote: Looking from the outside it seems to me it's basically surviving in much the way FurAffinity does for furry art, "Well yes, our management regularly punches itself in the face, but no one else is even a fifth of our size so where else will you go if you want an audience?" Yeah, about a third of the new fanfic I read is on AOOO or Twisting the Hellmouth now. A third is Spacebattles/Sufficient Velocity. A third is fanfiction.net. The latter is shrinking over time. RE: FanFiction.Net -- Javascript trojan - ECSNorway - 10-30-2018 FFNet has the advantage of being the only archive for a lot of older fic, and is - or was - good for trawling around and looking for fics (mostly from the favorites pages of trusted writers, I'll admit)... RE: FanFiction.Net -- Javascript trojan - Labster - 10-30-2018 If this is still going on, it's time to write a trojan to expose personal information of people on FF.net. If they can't filter out JS in a week, they deserve some GFDR fines. RE: FanFiction.Net -- Javascript trojan - Shepherd - 10-30-2018 According to their Twitter feed (https://twitter.com/FICTIONPRESS): Oct. 24 - We are currently working to prevent the mix of automated bots and social engineering to exploits a security hole which may allow user to self trigger an account modification without visual consent. We will update frequently as the fix is continuing to be applied. Oct. 24 - We have plugged the current known attack vector which combined csrf attacks with a html injection bug within the user profile page when access via a web browser. App users are not effected. A security review of the entire system is underway. Does this mean they've patched the problem? RE: FanFiction.Net -- Javascript trojan - Labster - 10-31-2018 Maybe? I didn't look at it, was it something like an iframe embedded in the page, that used some JS? If it really was a CSRF bug, I'm not too surprised they missed it, though I have the same level of dismay. I just had a discussion at work about how this is one of the hardest security issues to understand. To wit, a couple months back I had to convince Apple that no, there was not a CSRF vector in our application, despite what their security team was saying. |