Board logo

Security issue with the site
ChrisW - 21/6/22 at 07:40 PM

Evening everyone

It has come to our attention that there was some malicious activity on the site last night. I assume it is obvious that the code that runs this site is pretty old now and whilst we have done a lot of work over the last 20 years (yes, the site really is 20 years old!) there are still issues lurking in the background that we have not spotted..

It is somewhat difficult to piece together exactly what has gone on but our best guess is that someone was able to inject SQL code to obtain hashed (aka obscured) versions of users passwords and from there build an authentic cookie allowing them to change user's profiles. It does not appear at this stage that anything particularly sensitive was changed, simply some mischief was caused. My long suffering friend Luke has done his best to reverse engineer the method they used and believes he has now fixed the issue.

Although the information that leaked was obscured the method the sites uses to do this is 20+ years old and as such isn't particularly secure with today's decryption methods. It is therefore potentially possible that the attacker would be able to reverse engineer your password.. Therefore, if you use the same password on other sites with the same email address and/or username we recommend that you change those passwords urgently.. I'm sure we have all heard the advice before to use a different password on every site but I am also sure not everyone follows that advice. If you are at all in doubt, for your own sake, please err on the side of caution.

Luke has very kindly offered to re-write the entire authentication system the site uses over the next few days to ensure that this cannot happen again. I will certainly be buying him a beer for his efforts; if you would like to contribute to that fund the button is at the top of the page.

Thanks for your understanding and support.

Chris