Contact Info / Websites

Entry #13

Important security issue on Newgrounds.com

2012-08-06 17:56:00 by xxSHIFTxx

Hey all,

I just wanted to let you know that the passwords on newgrounds.com are not encrypted / hashed and are simply stored in plain text in the database. This is a major security issue, any web developer that attended security 101 will tell you that.

This means that if you used your newgrounds password on other sites, anyone with admin access to newgrounds could log in into those accounts. Let's say some guy you don't like does an internship over there and he wants to get your password? He'll most likely be able to get it. Same thing for any hacker that manage to get into Newgrounds' servers - no server is safe from a clever exploit. Once the person has your email+password combo, he could log into your bank account, email, amazon, paypal... anything using the same credentials really.

You can easily check this issue for yourself, simply use the "forgot password" feature and be amazed when you receive your email sent in plain text.

To the NG staff: please fix this issue as soon as possible
To the users: change your password to one you will only use on newgrounds

Thanks


Comments

You must be logged in to comment on this post.


ffeineandsugarffeineandsugar

2012-08-06 18:51:47

Sage advice - I'm often guilty myself, but NOT on newgrounds, and I'm getting a lot better at shifting the really-needs-to-be-locked-down ones down. Eyes open, y'all!


PIED3PIED3

2012-08-06 19:12:49

Different passwords on every account is the way to go.

xxSHIFTxx responds:

yep


BlountyBlounty

2012-08-06 20:00:29

For some reason, I believe it is more complicated than you are thinking it too be.

xxSHIFTxx responds:

No. No it's not.
Anyone at newgrounds has your password and that's it


FatBadgerFatBadger

2012-08-06 22:52:02

sounds like someone wants to get raped again


JoSilverJoSilver

2012-08-06 23:10:14

Oh, sure because the best thing to do would be to outright make such an issue public so anyone who is willing and able to exploit it would be fully aware of it rather than sending a private an e-mail to the staff regarding your concerns. GREAT JOB! You sir deserve a cookie.

(Updated ) xxSHIFTxx responds:

It's security 101. Anyone that ever did some web development knows the issue.
From experience I know that people hosting the site don't do anything because they underestimate the issue. I'd rather warn the users. Anyone with the ability to hack the ng site will already know what I said here.

Also, I don't see any way to contact NG eng dep


YusufYusuf

2012-08-06 23:25:50

JoSilver is right. You should probably delete this post or at the very least edit the information out of there.

xxSHIFTxx responds:

A quick google search tells you all you need to know about this issue. I'm not reveiling any exploit, just pointing out a huge flaw


324108430324108430

2012-08-07 01:04:02

I know what you say is true about the hacks and stuff, but who would really want to hack Newgrounds and be a admin. Also how would the hacker know that you use this password on other sites? They don't, and I am pretty sure hackers have better things to do than to hack a game website.

xxSHIFTxx responds:

It's easy, the hacker would just try the credentials against a huge list of websites and see which one work.

Hackers will find the easiest hackable sites to get credentials and then use these credentials on very hard to crack websites.


ChronoNomadChronoNomad

2012-08-07 02:55:40

So you took the time to write up a "How To" manual for would-be hackers? You might want to seriously reconsider your options here.

xxSHIFTxx responds:

Like I said, it's security 101. Any web developer knows that.


Gameboy12Gameboy12

2012-08-07 09:38:19

What can we do?


I-smelI-smel

2012-08-07 10:51:32

Oh my god, the comments to this are bloody stupid. Guys: He's literally just telling you all to change your password because the encryption here isn't secure (in that there isn't any).

Even if you think he's wrong for some reason: Using a different password on Newgrounds than you do for your Paypal account is a smart and helpful thing to do anyway. I asked a guy to help me with just having a username and password server for a game last year, and password encryption was A HUGE FUCKING DEAL. He literally showed me how to go to a web page and view a giant list of every user's name and password.
Encryption scrambles all that data so that once you find it you can't read it, and big responsible sites like Amazon and Ebay have really thorough gates that obliterate your password soon as you press Enter.

If Newgrounds isn't doing that, then that means the keys to every other site you use are sitting on a web page somewhere that some 4channer idiot can pick up. Is your phone number on Facebook? Is your address on Ebay? Is your debit card on Paypal? No shit, it's 2012.
So just change yr fuckin password, Firefox'll remember it for you anyway.


TariennTarienn

2012-08-07 13:36:51

Some people don't begin understand the gravity of this problem, so they attempt to tell you that you're wrong. That's the internet for you.

Fixing this problem(at least making it less of a gaping security flaw) is to use basic encryption. I believe Newgrounds was built with PHP, and PHP has a built in function called md5() (among others). Which will return a HASHED password for storage in a database. When the user logs in again, the password he types in is hashed, and compared against the hash stored in the database. If the password is correct, the hash codes should match.

Everyone: He knows this is happening because the "forgot your password" system should not be able to give you your password. The database should have a HASH of your password, it's only use is to verify future password inputs, it cannot easily be read. To edit your password, the hash is simply replaced.


Celx-RequinCelx-Requin

2012-08-07 14:39:44

I never use the same password for anything, but it's good to know regardless.
Well done sir!


SheizenhammerSheizenhammer

2012-08-07 17:00:20

Yeah, this is not news. Using the same password for every site you register on is, and always has been, a stupid idea.


I-smelI-smel

2012-08-07 21:23:56

I've bin expecting one of the staff to come in and say "Don't be crazy, Newgrounds is a huge site that's bin around for years, of course it's all secure"- BUT this post has bin up for a whole day now... so uh-oh