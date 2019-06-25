FurBuy down for 'months' after spat with security researcher
Furry auction site FurBuy remains offline, a month after it was abruptly taken down, leading to severe corruption of the 19-year-old site's database.
Site owners say May 23's emergency shutdown was intended to recover from a freeze triggered by a self-styled security researcher's access, and announced a months-long renovation.
The researcher revealed their involvement, claiming to have been blocked by FurBuy after contacting them on Twitter. They said they did not access the database, but that someone using the vulnerability they found would be able to do so - which is disputed by the site owners.
Modern database systems and server hardware are meant to cope with unanticipated downtime by writing to disk in such a way that the data can always be recovered to a consistent state; however, this requires appropriate configuration, and tends to decrease overall performance. It is also possible for hardware to fail under stress.
The last successful backup of the site was made in October 2017, but this remained unnoticed after the death of long-time system administrator Mordrul last August, from thyroid cancer.
[The] attack locked-up our database server while we were in the middle of performing an emergency database backup, and we required our on-site host to perform a hard reboot of the server. The combination of an old server, a very strong attack, and having to hard power-off the server during a backup caused the disk volume (hard drive) to become corrupted. We repaired the disk to the best of our ability, but the database was damaged irrevocably and all of our attempts to restore the database have failed. We were able to repair a few tables completely, most partially, and several others were completely lost.
[...] For now, we are retiring the old (very old) software we wrote (mostly in 1999) which means there will be no FurBuy for the time being. It's honestly amazing that the site was able to run for as long as it has on as old a system as it's on. The same physical hardware has been running the site since 2007 when we upgraded it from the original hardware it was built on. The database server was on its last leg.
Also, if it ain't broken, why fix it? That server ran the system for 12 years without issue. It was working fine until it was attacked. That's our fault?
— FurBuy (@furbuy) May 30, 2019
FurBuy claim users' own "personal data, emails, passwords" were not accessed, other than any personal data within images uploaded (not emailed) to the site.
While FurBuy did not dispute that source code with credentials was accessed, they say that they could not be used to access the 3.5 GB site database without being in a certain location with VPN access. Regardless, passwords were stored using a possibly-unsalted SHA-2 hashing function, which is not recommended for this role.
FurBuy is not offering refunds of past subscriptions; rather, new subscriptions for the site they promise to create, for which they are soliciting testers and say they've purchased 10U of hardware for. Those wishing to obtain a refund regardless will have to consult PayPal's own terms for their jurisdiction, to see if they are entitled.
For now, it seems erstwhile competitor The Dealers Den and non-fan auction and social media sites are receiving the lion's share of FurBuy's traffic.
Furry sites, even quite large ones that fans rely on, are typically run on a technical basis by one or maybe two people on a shoestring budget, often as a spare-time project. In fan commerce, the website is typically not the product itself, and may have been a one-off contract. Both of these situations are conducive to flawed coding and use of outdated technology.
There are exceptions, obviously; Bad Dragon is responsible for so many sites that they have a professional admin team - but even there, the programming of a fan site is done by site staff, who may not be qualified to write secure applications.
I know enough to doubt my own abilities when writing secure code, so I tend to punt to widely-developed application frameworks such as Drupal and MediaWiki, while trying to maintain standards on the administration side. Beware any site festooned with "tested for security" badges.
This got a lot of discussion by the Defcon Furs group and I got a lot of tips but held off from saying much due to no special knowledge about tech. Glad it got some notice. As far as I could tell there were good intentions from people who said they were just concerned about the security issues.
In my experience, it is perfectly possible to take down a site by accident, be it through over-eager indexing or a flawed BBcode parser that just happens to be tickled by a story.
Having previously reported a security issue to FurBuy myself, I can also sympathize with the third party, as it took some time for them to even appreciate that there was a problem.
Of course, "first, do no harm" is a maxim that should be adhered to by white hats as it is by doctors in white. If it seems that your actions are causing a site to struggle, it's incumbent upon you to stop them.
There's a bit of a history of sites ignoring reported problems and then banning/blocking people who eventually make it public knowledge.
https://www.flayrah.com/3977/fur-affinity-bug-permits-huge-avatars-former-mod-ba...
There a lot of website issues going around lately. I know there were some other problems at some sites which I might write a short little bit about. I need to see what new information comes out first.
