Password Resets (April 3, 2019)
4 years ago
United States

A few game moderator accounts were compromised on April 1, in a very similar manner to what happened back in November. About 3 to 5 accounts moderating a few prominent boards were compromised. The cause is still understood to be a few users using or re-using passwords that were compromised from other sites years ago. We implemented password re-use stipulations and reset everyone's password again. We also rolled back the database to shortly after 2019-03-30 23:37 US Eastern. The description of November's issues is here: https://www.speedrun.com/The_Site/thread/l1r3e

If your password was a password that was not previously used on a compromised website, your account was never at risk. We're acutely aware that resetting passwords and rolling back the database is a disappointing approach. In order to get the site up today, that's what we went with. We have every intention to implement further safeguards against this method of account compromise.

The site's leaderboards as a whole are only as secure as the least secure user, and we're very aware this is a problem. We intend to implement further protection against known compromised passwords from other websites. We currently intend to utilize the pwnedpasswords API, which offers built-in anonymity in password match requests: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

It is our current understanding that every compromised password was gained from that list. We're looking into the logistics for implementing 2-factor authentication as well. 2FA could potentially be mandatory for game moderators, if that is seen by the community as acceptable. If it's optional it only protects people who want to be protected.

Hours prior to all of this, a couple users also took the opportunity for April Fools to trash a couple boards. Those were also cleaned up by the database rollback. We'll address that facet for April 1 2020. There is some additional work to make damaged board cleanup much easier, such as site staff being able to restore from backups easily. Restoring a single board is currently a very manual process that only a couple people know how to do currently.

Edited by the author 4 years ago
Bogdan_mk, Razorflame and 24 others like this
Maryland, USA

To those of us who happened to donate after 3-30-19 but before the rollback occurred, how does that get fixed?

Granolant and O.D.W. like this
United States

mixmastapj: I pointed Pac to your post.

Granolant likes this
Texas, USA

To be honest, I think that 2FA should never be a topic of discussion and mandatory for everyone, not just game moderators like myself. It should have been a thing since the November vandalizing of this site.

Derpeth likes this
Illinois, USA

The real April Fools is still letting users change the name of the game and the theme of the page

Bogdan_mk, blueYOSHI and 2 others like this

Thanks for dealing with this again. I'd welcome a 2FA requirement for super-mods and mods, given that they have the highest abuse potential.

Valhalla

Vet mods better. I'm a fuckin' nobody but if whatever the 2FA implementation ends up being, if it's too much of a hassle I'll just dip back to google sheets nbd.

edit: also don't go half way if you're going to do it, force 2FA on everyone. Requiring it only for people that have mod roles sounds like a pain in the ass anyways.

Edited by the author 4 years ago
6oliath, MASH, and HowDenKing like this
Antarctica

The option for 2FA needs to exist. Making it mandatory for mods and optional for everyone else is fine, but I also see no harm in requiring it for everyone since even a hacked regular user account can cause major headaches for people and mods (although hacking a non mod does significantly less damage for whatever it's worth). But it's pretty obvious we need something for it.

But please, for the love of god, make April Fool's jokes grounds for removing mod powers. I'm so tired of seeing themes and backgrounds become major eyesores and fake runs are just plain stupid. None of it is a joke, it's just an excuse to vandalize a board for a day. Twitter is already un-usable on that day because of fake strat videos, I don't need this site to become the same way.

Bogdan_mk, bigcrunchbar and 6 others like this
Canada

Considering this is the second time this has happened in less than a year, I don't think there's any room for debate here. The site absolutely needs 2FA, and 2FA should absolutely be mandatory for game moderators as a bare minimum. It's inconvenient, but so is having to roll back the entire site and reset everybody's passwords frequently because some idiot didn't get the memo the first time this happened.

In addition to that, major changes to leaderboards (changing game name, url, logo, mass-adding or deleting runs, etc) should be flagged and need to be manually approved by site staff. I realize that creates a lot of extra work for site staff, but this is clearly a huge avenue for abuse, and having a human manually checking these things would prevent a lot of the problems we're having here.

[quote]make April Fool's jokes grounds for removing mod powers[/quote]

Hard agree on this. The internet really isn't a great platform for April Fool's pranks (or any kind of prank, for that matter), half the reason they work is because you follow them up with "hah, gotcha! April Fools!". Posting a fake run on an otherwise reputable leaderboard has no "gotcha" moment, it's just annoying, low-effort vandalism. Doing weird themes for the day is one thing (though I don't think anyone should even be doing that), but posting blatantly fake runs, for any reason (even on "socially-agreed-upon prank day") should not be tolerated.

Edited by the author 4 years ago
Bogdan_mk, blueYOSHI and 4 others like this
Texas, USA

Compromising accounts is an April Fools prank? That's really a new one on me.

Edited by the author 4 years ago

In November, a few users with unsecured accounts indirectly caused widespread vandalism. There was damage to the integrity of the leaderboards and to the site's reputation. Staff had to scramble; the database was manually reverted. For months we were getting daily complaints of users who had to be directed to bother Pac personally to get their accounts emails reset. Everyone paid the price.

...Everyone except those who had their unsecured accounts broken into. They were allowed to continue as mods. Some of them thoughtlessly changed their passwords right back to what they were, according to site staff.

Users who have their accounts compromised for any reason (third party site hack, easy-to-guess passwords, improper log-out, etc. etc.) must be held accountable for what happens on their account.

Now here we are, the site is being forced to implement anti-stupidity measures for every user, because of the actions and neglect of a few bad apples. Staff is talking about removing moderator responsibilities for those who don't wish to comply. But there's been no mention of permanently removing the moderator responsibilities of those whose passwords caused all of this. What kind of message is this sending?

It is unbelievable that the same people can be allowed to remain a liability on a repeated basis.

Edited by the author 4 years ago
Bogdan_mk, blueYOSHI and 6 others like this
Canada
Banks
He/Him, They/Them
4 years ago

If full 2FA is too much of a pain (requiring users to install a new application or give a phone number), an easier alternative might be requiring email confirmation the first time a moderator logs in (starts a new session) from a new IP. Not quite as secure, but perhaps sufficient.

Bogdan_mk, blueYOSHI and 3 others like this
Nova Scotia, Canada

The board I moderate (SMW Remix) seems like it wasn't rolled back?

Pennsylvania, USA

What bout us poor boys who can't afford to have a cell phone

Alayan, Bogdan_mk and 3 others like this
Minnesota, USA

I agree with several of the above posters that 2FA should be mandatory for anyone with mod-level powers. I don't have a strong opinion on a 2FA requirement for non-mods.

As for "what if I don't have a cell phone": I use a Yubikey U2F key on several other sites and I have found the experience to be quite painless. Implementing WebAuthn as an alternative to SMS-based 2FA would be nice.

Tenka and HoodyTwoShoes like this
Stirling, Scotland

2FA will have an option for emailing a code out for those, in the minority, that for some reason do not own a mobile phone or another device that can send and receive SMS. Alternatively, may integrate social media authentication in the future.

Edited by the author 4 years ago
Bogdan_mk, blueYOSHI and 2 others like this
United States

Most 2FA methods, such as email, are phony. Phone numbers are easily hijacked as well. They don't solve the problem, but are really great at locking out legitimate users with no recourse.

Better backups, and the ability to roll back specific games without it being a holy hassle, are probably a better approach than that.

Canada
Banks
He/Him, They/Them
4 years ago

@PresJPolk They are not "phony", they provide different levels of security. If you have Google's threat model, where you need to actively defend against technologically sophisticated militarizes with billions of dollars to spend attacking you, then you certainly want to mandate a Yubikey or other tamper-resistant signature mechanism. The vandalism on Speedrun.com is about as far from that as you can get: zero-effort non-interactive password reuse. SMS hijacking may be relatively easy for a determined attacker, but even that is several levels above anything we've seen. Calling it a "phony" defense is unhelpfully reductionist.

(Not that I actually disagree about the backups/rollbacks -- that's definitely critical stuff. I just get nitpicky about broad security claims.)

Edited by the author 4 years ago
ShikenNuggets likes this
Switzerland

Most of you guys that are active in the Discord probably know about my concerns regarding the site's security and implementations. It is a great idea to include the long wished 2FA but PLEASE implement it in the most easy and user-friendly way. Just use Google Authentificator or any other code generator for it; e.g: https://medium.com/@richb_/easy-two-factor-authentication-2fa-with-google-authenticator-php-108388a1ea23

It is supported on all platforms, doesn't require you to transmit a phone number and also won't cost you any cent on the client and server side (I don't wanna receive authentification messages from another country making me pay fees for it everytime I need to log into the site). Let's not even start about being forced to provide sensitive data in form of a mobile number. Quoting another reply from above:

"If full 2FA is too much of a pain (requiring users to install a new application or give a phone number), an easier alternative might be requiring email confirmation the first time a moderator logs in (starts a new session) from a new IP. Not quite as secure, but perhaps sufficient."

That's one of the worst methods to implement a 2FA and has its roots from the early days of that technology. You'll end up with the same insecure scenario regarding bruteforced/leaked email accounts as it already was without it. You would also annoy a LOT of users who are living in countries with dynamic IP allocations like Germany (you automatically receive a new IP address every 24 hours). However be adviced that you're able to use a similar, user-friendly way of storing a session over multiple days/weeks. You can save the authentificated clients into a database which will allow the people to login without a 2FA prompt as long as they're on the same machine and didn't clear their browser cache or exceed the maximal amount of days before that authentification session is getting flagged as expired (you can set that on the server side again; most sites use a value of 14-30 days).

And for the other subject: I do not really care if all of the users are forced to use a 2FA as long as people with ANY sort of rights on the site are.

Best regards

Edited by the author 4 years ago
Bogdan_mk, enamel and 2 others like this
Germany

About the April Fools jab: There are games like Minecraft, where those changes are just part of the culture. That's not the mods acting up, it's the mods celebrating a global holiday

BellumZeldaDS likes this