Data leak?

[crumpart]

Just saw this warning on my iPad about a data leak?

Good luck using my password from here anywhere else, lol.

A85224AE-D4D3-472B-AE4C-6323A72E31B3.jpeg (201.75 KiB) Viewed 591 times

(Thought? Maybe this is is for my Art submitting password?)

[Lunkhead]

It must be the art password. There aren't usernames/passwords for anything else on songfight.org as far as I know. I can change your art password if you like?

[crumpart]

It must be the art password. There aren't usernames/passwords for anything else on songfight.org as far as I know. I can change your art password if you like?

Why not. Go for it!

[fluffy]

I wonder how the data leak took place, although given how insecurely the passwords are managed it wouldn't surprise me.

[Lunkhead]

I can't speak for Spud's way of picking folks' passwords for the art submission form but my way is pretty lazy and isn't generating super unique passwords. I had also been trying to make passwords that were not too hard for folks to remember but I should probably put more randomness into them and make them longer. In the case of crumpart's password, I could easily see it being a password used by other people on other sites, so it's probably been compromised in one of the many leaks across the Internet over the years. If somebody really wanted to, they could look at the art archive and guess that the names shown are usernames and then brute force their way to submit art using a list of compromised passwords from leaks and find a match and submit nefarious art. Probably not a big deal but I will put slightly more effort into the passwords. I just don't want to make them so that nobody remembers them and folks wind up emailing me frequently about them.

[fluffy]

I meant more about how they’re stored.

[Lunkhead]

I meant that I don't think songfight.org had a data leak (regardless of how poorly we store the credentials) and that the password was simple and was in a data leak from some other site and Safari on the iPad is just checking stored passwords against passwords known to have been compromised in various data leaks.

[fluffy]

I wonder how they’d have known, though? Those data leak checkers work by getting dumps of passwords from places, and I doubt that anyone’s been brute-forcing username/password pairs on the art submission page. It seems much more likely to me that someone somehow obtained a copy of the art submission PHP script and generated a dump from that.

One possible source of such a leak would have been from the git repository, incidentally, and since I’d been thinking of removing that from the site files, I’ve gone ahead and moved it away.

Another possibility is that someone else on the Dreamhost server got hacked and then the hacker was able to access the raw .php files from a very basic filesystem traversal (which is trivial to do on Dreamhost). So we should probably move the passwords to a more secure storage mechanism; even a text file that stores username and bzcrypt hash pairs would be better than what we have right now.

[Lunkhead]

I wonder how they’d have known, though?

How would who have known what? Are you asking, how would crumpart's iPad have known that her password for the art submission page was present in dumps of passwords from places? I'm assuming the password has been saved in KeyChain Access, and Apple has added a feature of checking passwords in KeyChain Access against published dumps of compromised passwords. This thread seems to indicate that assumption is potentially roughly accurate:

https://discussions.apple.com/thread/252087887

Crumpart's specific password was probably especially poorly/lazily chosen (by me) as it's just three common words, all lower case, no punctuation, and they're three words taken from a pop culture reference that's relatively commonly known, so in hindsight it seems very likely that many people have used that specific password in many places for a long time.

[Lunkhead]

But yes, you are of course completely right that what we're doing now leaves huge amounts of room for improvement. I hope that nobody is taking these crummy passwords we're giving them and then using them for their login to their bank or something. Until we improve things though I can in the meantime pick longer more random passwords, and give folks a reminder that the best practice is that they not use their art submission passwords for any other account anywhere.

[fluffy]

I wonder how they’d have known, though?

How would who have known what? Are you asking, how would crumpart's iPad have known that her password for the art submission page was present in dumps of passwords from places? I'm assuming the password has been saved in KeyChain Access, and Apple has added a feature of checking passwords in KeyChain Access against published dumps of compromised passwords. This thread seems to indicate that assumption is potentially roughly accurate:

https://discussions.apple.com/thread/252087887

Crumpart's specific password was probably especially poorly/lazily chosen (by me) as it's just three common words, all lower case, no punctuation, and they're three words taken from a pop culture reference that's relatively commonly known, so in hindsight it seems very likely that many people have used that specific password in many places for a long time.

Ah, okay, I thought the warning was that the username-password combo had been seen, not that the specific password being used was present in existing leaks.

Also I'm less worried about people using their art submission password elsewhere (because why would they do that?) and more the passwords being discovered/used to try to further exploit the site in some way, such as by uploading malicious content as cover art.