Creative Commons license icon

FA user suspended over alleged 'password harvesting'

No votes yet

Fur Affinity user Xaevo was suspended from the main site and banned from #furaffinity after being accused of password harvesting and insulting Summercat, a support administrator.

Xaevo posted a link in the chatroom to a site that he claimed would allow people to see their FA stats regardless of who they were logged in as. Summercat criticised the site asking for users' FA passwords and requested that the site be taken down as it was phishing.

[14:18:14] <Summercat> Xaevo, please take it down.
[14:18:23] <Xaevo> no, i see no reason to take it down

Xaevo continued to protest the accusations of phishing, saying that phishing only applied when you were masquerading as a trustworthy entity. He maintained that his source code was public and did not save any passwords. When Summercat called it password harvesting, Xaevo called him a 'noob', and was banned from the chat room and suspended from the main site.

Update: 45 minutes later, Xaevo's suspension was lifted.

[14:20:41] <Summercat> Now, I'll ask again: Take that down or keep it as a private tool for your own use.
[14:20:55] <Xaevo> i won't take it down.
[14:21:52] <Xaevo> you guys are all fucking morons, you don't know SHIT about what phising is :/
[14:22:15] <Xaevo>
[14:22:21] <Xaevo> i am NOT IMPERSONATING
[14:22:56] <Summercat> Allright then.
[14:23:06] <Summercat> Let us be pendandtic and correct and proper.
[14:23:06] <Xaevo> nd it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
[14:23:08] <Summercat> "Password harvesting."
[14:23:17] <Xaevo> Summercat: nope, not harvesting, you noob
[14:23:21] <Summercat> You are engaging in "password harvesting". This is generally a co
[14:23:22] <Xaevo> i am not saving shit
[14:23:25] <Xaevo> i am not saving shit
[14:23:25] <Xaevo> i am not saving shit
[14:23:26] <Xaevo> i am not saving shit
[14:23:29] *** Mode #furaffinity +b *!* by Summercat
[14:23:32] <Xaevo> so, not harvesting
[14:23:44] <-* Summercat has kicked Xaevo from #furaffinity (I did warn you. Several times.)

[Messages from users other than Xaevo and Summercat have been edited out of the log. Times shown are GMT+2.]


Your rating: None Average: 3 (2 votes)

I dare say that calling someone a 'noob' is not an insult. :C

I mean, unless you're 10.

+ Banrai

Your rating: None Average: 5 (1 vote)

Well it's not a compliment. In any case that appears to have been the final straw. Altogether the conversation lasted about 12 minutes and just over 2 pages.

[14:27:27] <Summercat> I was trying to get him to see reason until he called me a noob. *shrug*

"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

Your rating: None Average: 3 (2 votes)

While I absolutely don't agree with what the user was attempting to do with the password scamming, I think they're both pretty immature to be offended at such a stupid 'insult', is all.

I mean, that's the equivalent of being offended at being called a dork.

+ Banrai

Your rating: None Average: 4.5 (2 votes)

That's called phishing, kids.

Only Furaffinity.

Your rating: None

Xaevo appears to maintain that his script would not save passwords. As a completely naive and 'noob' computer user, is he correct that the moderator overreacted or did it present something that could be abused?

Your rating: None Average: 5 (1 vote)

Whenever you submit your credentials to a site other than the one they are for, you run the risk of them being abused.

This may be a harmless script. It is equally possible that it is not. There is no way of knowing without controlling the server.

The source presented (which could be fake) does not store the user's credentials, but does store a copy of the login cookie in a randomly-named file on the server. This file does not appear to be deleted, and so might be reused to access your account.

I don't know Xaevo or know who runs his server, so I wouldn't use it. I can write my own message checker if I feel the need.

Your rating: None

How is this useful at all anyway? You'd have to enter your stuff either way... why not enter it in the site you are using?

Your rating: None

I think it's for people with multiple accounts. Though then you can just use different browsers so it's still not helpful.

"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

Your rating: None Average: 3.5 (2 votes)

Regardless of whether or not he was phishing, couldn't he have been a little nicer about it?
And I believe you should listen to a mod regardless of their reasoning.

Your rating: None Average: 1 (1 vote)

Pendandtic... is that where the Atlantic and Pacific ocean meet?

Your rating: None

In other news, now redundant.

Your rating: None

The source he gives, himself, shows that it saves the cookies, to files in /tmp, so yes, the script DID save, not passwords, but the ability to log in as the users.

Your rating: None

From what i understand Xaevo was also using FA's layout and message system without permission, right? That in itself was a bad idea.

It doesn't matter if 'noob' is an insult or not, he still disrespected and disobeyed staff.

Your rating: None

I think sometimes techs forget that "Net Neutrality" doesn't mean doing whatever you want with the Internet.

Your rating: None

In the end, it is usually best for websites that require logins to just have a blanket policy of never entering your login info on another site. Unless a website directly runs or is willing to take responsibility for everything the other site does or could do, then they might have an approved list of other places to use the same login info. But that might potentially adds to the confusion and increases the chances of phishing sites working for less internet literate people.

And while done with best of intentions, creating unofficial websites asking for such logins can add to the phishing confusion. Even when giving out the source code, that is only helpful to those that understand it and also trust the person. Otherwise, it is encouraging people to give out their passwords to people they've only heard from a friend of a friend that is legit.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <img> <b> <i> <s> <blockquote> <ul> <ol> <li> <table> <tr> <td> <th> <sub> <sup> <object> <embed> <h1> <h2> <h3> <h4> <h5> <h6> <dl> <dt> <dd> <param> <center> <strong> <q> <cite> <code> <em>
  • Lines and paragraphs break automatically.

More information about formatting options

This test is to prevent automated spam submissions.

About the author

Rakuen Growlitheread storiescontact (login required)

a student and Growlithe from South Africa/Austria, interested in science, writing, pokemon and gaming

I'm a South African fur, born and raised in Cape Town, but currently living in Vienna, Austria for work and studies. I'm interested in science, writing, gaming, all sorts of furry stuff, Pokemon and some naughtier things too! I've dabbled in art before but mostly like writing although I haven't done very many stories recently but more non-fiction on Flayrah. I also helped found and administer the ZA Fur forum.