Tuesday, April 22, 2014

Getting Monday of my chest (open letter to the users and owners of Familjeliv.se)

So, the hacker attack on Familjeliv left me a bit drained. Mostly because of the nonchalance of the people on Familjeliv. Here’s the rundown:
A hacker found a nice little hole in the session cookies at large, parent-targeted Swedish forum Familjeliv.se, and decided to take action. According to the first hacker, he did NOT want to do anything malicious, but as Familjeliv.se didn’t heed his previous warnings about this hole, he decided that drastic action was called for. Adding a little extra code to the session cookies, he could basically hi-jack anyone’s account and surf around pretending he was them. He, and he alone, did this Sunday night, doing nothing but demonstrating what could be done with that hole. As far as I noticed, he stuck to one forum thread that night, only replying to other users that posted in his thread. That thread, however, was shut down late Sunday night. Monday noon, when I first logged in, he was at it again, this time more persistently. He maintained, however, that he meant no harm and only wanted familjeliv.se to take some action. I here suspect that he himself is a member of the forum, and really was only concerned with his own and other forum members safety. Over the course of Monday afternoon, though, things escalated. I cannot say and wish not to speculate in whether or not it was the original hacker that posted the hack on the other largest (way larger and wider) forum targeting a Swedish audience, Flashback.se, but it ended up there somehow. After that, users of famljeliv.se got their accounts hi-jacked left and right, their accounts were used to post things they did not support, some people were “outed” in threads where they wished to be anonymous, and so forth. Fortunately, this seems to have amounted to some more or less harmless inconveniences, and the worst of it seems to have amounted to one user having their password changed. Some people might have to regain some reputation. Personally, I only had a couple of posts written by myself to myself, and a lot of logout forced by… well, someone. Exasperating, to be sure, but harmless.
The worst bit about this hacker attack was not the attack itself, but rather the MASSIVE silence from Familjeliv.se. They deleted some threads the hacker started to show what he had found, but refused to say anything on the subject. I say refused, because today, an internet news site publicized a short article on the subject, where they had also interviewed the boss of familjeliv.se, where she stated that “We were aware of the problem as of 18.00 Monday night and the problem was fixed at 18.19. It took us 20 minutes to come up with a fix. This is no big deal, our users needn’t worry.” Yeah, I call bullshit. As I stated above, the hacker had already been in the night BEFORE and he had had forum threads DELETED the night before. Familjeliv.se were CLEARLY aware of the problem. So, here’s my guess: It was Sunday night, Easter, and they couldn’t be less bothered. It can WAIT. Let it wait till after Easter (which would be today, Tuesday). That’s my guess at their reasoning. However, and I don’t know how much this has anything to do with their more expedient handling of it all, I didn’t want this to get any worse, and decided to take action. Now, I’m just a lowly member of a forum that doesn’t even have a member rep system, but I started a forum thread, calling attention to the problem and stuck to my guns on it. I did not let this “can’t-even-promote-threads-to-sticky-forum” defeat my will to reach as many of the users as possible. Making sure my thread, giving info not only that the hacker attack  had occurred, but also what to do to make sure the hackers didn’t use any certain user’s account, didn't get lost in the shuffle, I forfeited my work, my poker tournament and my dinner for it. Of course, other users soon came in, helping me out, for which I am very, very grateful. You all have huge amounts of my gratitude, and you should have Familjeliv.se’s, as well. And still, Familjeliv.se has barely commented on the attack… They posted ONE lousy, tech-speech-ladled forum thread in which YOU CAN’T EVEN ASK ANYTHING ABOUT THE INCIDENT! It’s locked for comments. Not because it got flooded with questions, it’s empty. The questions land instead, of course, in my forum thread. Hopefully, they get answered (I must here apologize for not being available in the thread, I have had connectivity issues as well as log-on issues….)

So, that became a long rant. I probably had more to say, but if so, it’s gone now. I hereby want to thank all the forum users that made sure my thread about the incident didn't get lost in the shuffle, and give my promise that if this ever happens again, and I notice it, I WILL make sure you know about it and I WILL be badgering the support team about it.

Yours sincerely
Aniiee


Oh, and…. Don’t go too hard on the mods about this. They were just as vulnerable as anyone else, and there are not nearly enough of them to be everywhere all the time. 

No comments:

Post a Comment