Unwanted visitor

11-10-2008 18:19

As the sharp user might have noticed, then a few weird news posts were posted around 15:00 Saturday, these were the result of a user gaining access to certain information. I believe in full disclosure so I will try to explain you all exactly what happened, and what we have done to prevent it from happening again.

First of all I will however say what data was stolen, emails and encrypted passwords were taken for around 1500 users, from the pattern of the traffic it looks like the hacker was trying to get access to admin accounts. The 1500 affected users will be contacted when we get them enumerated. I will explain later on why encrypted passwords should still be changed, and why they are vulnerable.

First let me explain how this could happen. When you have a big website you need a database backing it to store userinformation, matches, blogs, news posts and so on. Whenever you access this database from PHP you send a query asking for some data, some of these queries are generated dynamically e.g. if you want to see the profile page for my user, then it will fetch the data from userid = 1. This however means reading information provided by the user, and the user really cannot be trusted not to be evil. So what you do is make sure that the input you get and send to the SQL server is properly formatted, and not in a form that can harm the database, or disclose data. In common talk this is called sql escaping. If your escaping is not done, then your site is vulnerable to sql injection.

As I am a 5th year computer science student I of course know all this, and the site has sql escaping, but in the around 16.000 lines of code touching the database, some escaping was lacking, solely due to human error. This meant that simply by constructing a bad HLTV.org url you could access any data in the database. There is no excuse for this, and I am very sorry for all the affected users. A security hole like this is not up to the standard that we set for ourselves here at HLTV.org, and I would step back as the webpage coder if there was anyone to take over. From the serverlog we can see exactly what info was accessed, which is why I can say so surely that “only” 1500 users of the approximately 135.000 users in our database were hit.

Now I said the passwords were encrypted, and they were, the problem however is that the encryption was written long ago, and by a coder that has long since left HLTV.org, he unfortunatly did know to encrypt passwords, but not how to do it properly. The “encryption” used is called hashing, and it is very safe. It basically works this way, in comes a password, say “123”, it then spits out a generated string that will always be the same for the input 123, the hashing we use is called md5, md5 would in this case return 202cb962ac59075b964b07152d234b70 for the string 123. The smart thing is, if you just get “202cb962ac59075b964b07152d234b70” calculating what the real password is, is very hard. Except for one thing, a thing called Rainbow tables.

Rainbow tables are basically collections of md5 hashes and strings, so you have a big table where you can do lookups with md5 strings and then get the plaintext password back. e.g. you find one and enter “202cb962ac59075b964b07152d234b70“ and it will return 123, this only works for precomputed strings, normally people compute the hash for all words in a dictionary and stuff like that, things that are normal as passwords. This means that if you have a weak password, the hash is not safe. There is of course a way to get around this, namely to include something extra after the password, so lets say your pass is 123, then the coder should add something after, called a salt. In this case maybe we want to put on: unhackable, making the password we take a md5 hash of: 123unhackable. It is very unlikely that a Rainbow table would have that string. Sadly this was not done for the HLTV.org login system, so rainbow tables can be used to attack the encrypted passwords. I have fixed this problem and will roll out the fix tonight, meaning if anything like this ever happens again, then your password is impossible to break, too late I know, but the best I can do.

So for good measure, you should all change the passwords here on HLTV.org, and other places you have used the same password. I will compile a list of users as soon as I get a little time, but until then I recommend that everyone changes. Again I want to stress that “only” 1500 users were affected.

I cannot tell you how sorry I am for this, and I spend the past 3 hours running through 16.000 lines of code to check for exploits of this nature. Sadly when you run a high profile website, running a free service, only trying to do good, some still think hacking and attacking such sites is fun for god knows what reason. It really saddens me that the user did not contact us about the issue instead of exploit it. I guess no good deed goes unpunished. Sadly I think the motivational hit to the crew at HLTV.org will be a much bigger loss than the data lost.

So, HLTV.org was hacked, go have a field day rakaka.

Who the f*ck wants to spend a whole weekend trying to hack community websites? No lifer persons =[

2008-10-11 18:36

DAMN really bad

2008-10-11 18:28

So sad :(

2008-10-11 18:31

really sad

2008-10-11 18:33

damn so we must changed our pass i'm right?

2008-10-11 18:35

1 reply

Regrettably, yes = ]

2008-10-11 18:37

Sad, and thank you Nomad for the explaination!

2 replies

Well, yeah it was kinda a good explanation.. if you understand "computer language". Wich i don't =D

2008-10-11 18:38

I think he did a good job of explaining it in non-computer lingo.

2008-10-11 19:58

dnt get a word u said..bt i only gt tht dis site got hacked or so..thts really bad.. so do we chng our pass to sumthin diff, for ex. $wes_iT, $iy4B

Ehm, translator? Traslated to understandable english: Did'nt get a word of what you just said. I only found out that the site got hacked, or something like that... That's really bad.. So we need to change our passwords right?

2008-10-11 18:41

Yes change your password immediately and if you use that password elsewhere change it on that site / email or whatever too.

2008-10-12 13:06

Only 1500 users encrypted password's were stolen, if you were amongst them you would better be resetting them, if you are amongst those 1500 users you will be receiving an e-mail from HLTV.org in the near future I guess.

2008-10-11 18:40

lololol who do this ? :p

2008-10-11 18:43

As earlier metioned; no lifer persons.

2008-10-11 19:03

good explanation, and men dont worry it hapends to biger websites and whit a loot more ppl behinde that hltv.org crew. I am sure will be no problem at all and you will make it even secure after this atack .. GG

GG xD? goodgame for hacker but not hltv

2008-10-11 18:46

A pity we had to learn the hard way but at least we have learned :) Keep up the awesome work Nomad! ;)

2008-10-11 18:55

Password changed. And GJ Nomad, you woke up the page!

2008-10-11 19:04

thx Nomad ! But,why i can't download at demosection now???

2008-10-11 19:07

My fault, you can now.

2008-10-11 19:10

As always u have my support Nomad. Any website is vulnerable. At least I'm sure this incident will make hltv.org improve in some way. "What does not kill us, makes us stronger".

2008-10-11 19:14

Yea well, the passwords are now 100% safe should this happen again, at least that is something.. :/

2008-10-11 19:20

keep the good work...every site can be hacked so take it easy ;)

2008-10-11 19:41

Sad :( That's why I use a different password for each site/application I run. Changing pass...

2008-10-11 20:28

I wouldn't actually mind if Nomad just wrote an article like this every week. I learned alot from it seeing as I am on my first year as an IT-Supporter I need alot of info like this, only explained by someone that is more human f.x. Nomad :] Still really annoying that some one does a thing like this. But im sure in the world of a hacker doing a thing like this beats watching pr00000n a friday night ;] Still gj on getting everything back up n running. :)

2008-10-11 20:34

8 replies

Hehe, I think computer science lectures might be kinda outside the scope of HLTV.org ;)

2008-10-11 20:51

7 replies

Hehe your probably right, but it is really nice to know how you guys run things around here. Like how do you create HTML codes and how on earth did you create so many smart functions. ;p

2008-10-11 21:12

5 replies

If you have a concrete thing you'd like to know about, preferably a HLTV.org feature, I'll consider writing a blog on how we made it.. :)

2008-10-11 21:44

4 replies

I'm in! In the near future I'm going to study something related with computers etc. so this would help me :) Would be really nice, if you created something like a "story" (not about one feature, I mean a "story" about creating a page, how to write features etc.) "How we made the page". Of course if you have enough time. Think about it :)

2008-10-11 22:43

I suppose this would take an enormous amout of time!

2008-10-11 23:52

I already said, Nomad could do it, if he had enough time :)

2008-10-11 23:57

i think it is a great idea m in :D

2008-10-12 05:52

I've never understood the Rainbow tables and more at school untill you gave these explanations. I would like to hear more about that feature or other things related to this domain. :D It was not your fault, you dont need to be sorry, it can happen at anyone, you can make errors it's a human thing, youre not a computer so you could work without errors. Keep the good work! :)

2008-10-12 13:39

Really sad :(

2008-10-11 21:52

ehm, you don't have to be sorry at all mate :)) Shit happens to everyone.. even to the best guys. It just shaked you up :D Now you're aware of the dangers xD. Respect for what you do, seriously :D

2008-10-11 23:54

yeah, shit happens! but, it could be worse - MUCH WORSE! you're doing an awesome job nomad! thx!

2008-10-12 00:31

www.motosblog.com.br/mb/wp-content/uploads/2007/09/shit-happens.gif It's a shame this happened. Let's just see it as a way of improving the website ;)

2008-10-12 00:35

bad

2008-10-12 00:52

synd

2008-10-12 01:05

dumb hackers :x get a life man btw really nice job namad :D :D :D

2008-10-12 10:13

SteelSeries prizes for those 1500!

2008-10-12 13:19

Haha, if we had 30.000€ laying around, then sure.. ;)

2008-10-12 13:20

You will get a glide, not a set. Its that enough? o_O

2008-10-12 13:44

3 replies

That was a joke o_O Even if i get that.. thing.. glide.. i would use it to clean my shoes.

2008-10-12 14:42

That was a joke too. o_O You dont even know what the word means, you dont even know with what youre cleaning your shoes, it may be shit, it may be not.

2008-10-12 14:55

Stop talking shit..

2008-10-12 17:10

Sounds like a good hack but why would you hack a site like this, I mean it's a cool and good site but you know, why hack it?

2008-10-12 14:27

Some people think it's cool. They hack something and think: "haha i'm so powerful" "what are you gonna do now mazafazers?". They feel they are better than other, i guess.

2008-10-12 14:46

and then the "glory" of 'hacking' a site, mean you can brag about it to your 'hacker' friends.. The bigger the site, bigger the bragging is..

2008-10-13 00:30

Noproblem NOMAD ur the best :D and we don't have credit cards acces on the website so don't be too much sorry :p :D have a good week

2008-10-12 21:45

I had a great field day NOMAD! Paintball and everything! Thank you!

2008-10-13 09:50

A real hacker would contact the staff , and tell where he found the breach , and probably a solution to that breach .Thing is that sql injection is so easy to use...Don't put the name hacker near to this stupid script user. There are so called "hackers" who only copy what other discovered and use it with stupid reasons.

2008-10-13 11:30