Fur Affinity comment hiding feature introduced, exploited
Security flaws in a feature introduced to Fur Affinity this week have led to the indiscriminate hiding of comments throughout the site, after an attacker exploited flaws in the comment system.
The attacker said their intention was to raise awareness of the issues, after being initially rebuffed by site coders. However, their actions hurt innocent users, including artists who found their commission references hidden.
The new feature was intended to allow attributed hiding of comments by account owners, comment posters, and administrators.
Three separate flaws were found by the attacker, who was banned from the site after using the last to randomly hide comments with a script:
- Comments could be hidden by causing a logged-in user to visit a page with image links to URLs which perform actions – a long-term flaw which can also be used to force users to +fav, watch and delete submissions
- Any comment could be hidden by the owner of any submission by modifying the URL provided to hide a comment on their own work
The site was placed into read-only mode for several hours in an attempt to stop the attack, but read-only mode does not prevent hiding.