• The VOIDRUNNER'S CODEX is LIVE! Explore new worlds, fight oppressive empires, fend off fearsome aliens, and wield deadly psionics with this comprehensive boxed set expansion for 5E and A5E!

OneBookShelf, DMsGuild security breach update.

darjr

darjr

I crit!
In dealing with this security breach, we learned that the hack was instigated by a “white-hat” hacker who had not followed proper protocols.

Details

The hacker found a PDO buffer overflow vulnerability that caused a SQL query to be truncated in a way that altered the price of all titles instead of just one.

The hacker also uncovered a vulnerability in a particular publisher-facing tool that would let a user enable or disable any title on site.

No customer or publisher data was accessed or compromised.



I can’t seem to find the original thread, for some reason. If some kind forumite who has it would post it here I’d appreciate it.
 

log in or register to remove this ad


Bravesteel25

Bravesteel25

Baronet of Gaming
I'd be interested to know if that white hat was brought in by One Book Shelf to do penetration testing. If so, it's strange that they didn't do the penetration test on the test version of the site that I'm sure they have.
 

D

Daraniya

Explorer
a 'white hat' hacker is not someone who fails to follow disclosure protocols...

Signed,
25 years in infosec

P.S. Change your passwords, especially if you use that password on other sites... typical PR response is to state "no customer data was accessed". you can bet your a** that customer data was probably accessed and we'll see an update once they do a full accounting of the extent of the breach. Also, regenerate your API keys if you're using the local desktop App...
 
Last edited:

darjr

darjr

I crit!
Daraniya said:
a 'white hat' hacker is not someone who fails to follow disclosure protocols...

Signed,
25 years in infosec

P.S. Change your passwords, especially if you use that password on other sites... typical PR response is to state "no customer data was accessed". you can bet your ass that customer was probably accessed and we'll see an update once they do a full accounting of the extent of the breach. Also, regenerate your API keys if you're using the local desktop App...
Click to expand...
I have a lot of trust for Drivethru but this is a good idea regardless, change your passwords and do not reuse em. I have zero trust for their breacher.
 


D

Daraniya

Explorer
darjr said:
I have a lot of trust for Drivethru but this is a good idea regardless, change your passwords and do not reuse em. I have zero trust for their breacher.
Click to expand...
Would like to see them implement some additional security, like OAuth logins (google/apple/microsoft logins) and/or 2FA capabilities. Some of us have several thousand dollars of merchandise in there and would be painful or impossible to recover if lost.
 

darjr

darjr

I crit!
Daraniya said:
Would like to see them implement some additional security, like OAuth logins (google/apple/microsoft logins) and/or 2FA capabilities. Some of us have several thousand dollars of merchandise in there and would be painful or impossible to recover if lost.
Click to expand...
I can’t agree more.
 

Similar Threads

Sean Patrick Fannon
Sean's Picks of the Week (0403-0406) - Community Content Week!
Replies
2
Views
1K
Connorsrpg
Connorsrpg
A
New Hobby Releases In Stores & PDF Spotlight: 22nd October 2018
Replies
1
Views
3K
Derren
D
A
New Hobby Releases In Stores & PDF Spotlight: 6th August 2018
Replies
0
Views
2K
AngusA
A
A
New Hobby Releases In Stores & PDF Spotlight: 25th June 2018
Replies
0
Views
2K
AngusA
A
A
New Hobby Releases In Stores & PDF Spotlight: 4th June 2018
Replies
2
Views
2K
aramis erak
aramis erak

Voidrunner's Codex

Remove ads

Top