[MUST READ] XDA major security flaws on protecting user information - About xda-developers.com

I recently did some network checks for XDA and found out that they are not providing enough security for the personal information of members in the community.
Basically nothing is encrypted
Here is the login page:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
As you can see it's in MD5, preferably passwords must be encrypted in order to safeguard your personal information. As MD5 hashes can be reversed.
Here is the worst part, I found out that my personal messages are not encrypted and have no security measures in place. A person can easily intercept your message without any reasonable effort.
Nah, that's not the worst part, this is...
When you change your password a potential hacker can intercept both your old and new password IN PLAIN TEXT.
I as a user want my personal data on my account to be safe, XDA should implement a full HTTPS for all Private Messages and User credentials as well as password edting.

Wow, just wow. I'm actually gobsmacked
“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris
---------- Post added at 11:20 AM ---------- Previous post was at 11:17 AM ----------
Erm, question Deathnotice01. What about the Google sign in?
“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris

That's just sad ?
Sent from my KitKatified HTC One X

I guess it doesn't really matter if I switch to Google sign in if nothing else is secure anyway
“Power brings a man many luxuries, but a clean pair of hands is seldom among them.”
― Robert Harris

@MikeChannon @svetius
Sent from my KitKatified HTC One X

Luckily I am using my Google account to access XDA, but damn - this is a major security flaw, on not on some weirdo site buy on XDA *DEVELOPERS*

RohinZaraki said:
@MikeChannon @svetius
Sent from my KitKatified HTC One X
Click to expand...
Click to collapse
I'm not an expert on this so I've passed it to one of our systems people and Sv has a mention too I see.
Mike

deathnotice01 said:
I recently did some network checks for XDA and found out that they are not providing enough security for the personal information of members in the community.
Click to expand...
Click to collapse
Please see this thread regarding bringing HTTPS to XDA: http://forum.xda-developers.com/showthread.php?t=2383868. It has a lot of discussion about this topic.
deathnotice01 said:
Here is the worst part, I found out that my personal messages are not encrypted and have no security measures in place. A person can easily intercept your message without any reasonable effort.
When you change your password a potential hacker can intercept both your old and new password IN PLAIN TEXT.
Click to expand...
Click to collapse
In both of these situations, an attacker would have to be intercepting your traffic. I don't think that this is considered 'easily intercepted'. But, I agree we should be hashing this information on password change. This is built-in vbulletin functionality that we haven't modified but will take a look at the feasibility of changing it. Shouldn't be too difficult. (Famous last words)
deathnotice01 said:
I as a user want my personal data on my account to be safe, XDA should implement a full HTTPS for all Private Messages and User credentials as well as password edting.[/size]
Click to expand...
Click to collapse
We fully agree with this. However XDA is built on vBulletin which doesn't have great capabilities for https. Here are the two major reasons why we don't have it on XDA yet:
1. vBulletin doesn't seem to handle cross-protocol (or even https) sessions very well. You can log in fine, but the session will expire after 5 minutes on different pages. There were a lot of other vBulletin issues regarding https, and I've actually done a lot of coding to fix most of the issues, but the session issue is still outstanding.
2. XDA is filled with 3rd party content, most of which is unencrypted. This will trigger browser warnings all over the place. The only solution to this that I see is to proxy the content on our own servers with https, however this is a pretty huge endeavor.
I am all on board for doing XDA in full https mode but there are still some of these major issues we haven't worked out solutions to (yet).

Wow, really glad you found this out! I know that because of heart bleed they had to redo a lot of the https encryption, but to think that there was almost no security in which to protect our own privacy, its just mind boggling. Good (bad?) find!
Sent from my SGH-I927 using Tapatalk

In both of these situations, an attacker would have to be intercepting your traffic. I don't think that this is considered 'easily intercepted'. But, I agree we should be hashing this information on password change. This is built-in vbulletin functionality that we haven't modified but will take a look at the feasibility of changing it. Shouldn't be too difficult. (Famous last words)
Click to expand...
Click to collapse
It's really easy.
Sniff traffic of a target device and viola. It's HTTP so no decrypting required even a person without any good network auditing experience can perform this attack.
You can download tools from the internet to do such stuff with relatively low or no setup required.
We fully agree with this. However XDA is built on vBulletin which doesn't have great capabilities for https. Here are the two major reasons why we don't have it on XDA yet:
Click to expand...
Click to collapse
Remember Data breach is a big possibility.
Regardless of the system an appropriate amount of security should be implemented that would reasonably protect the transmission of personal information because you are accountable for the data you collect and/or keep.
I personally thank you for looking into it.
Wrote this S#!t via Samsung Galaxy Note 3 LTE

Just gonna bump this incase there's any updates
Sent via Moto X Developer Edition

Related

The Big Signature Problem

There's no restrictions on size of signatures. 1 or 2 line signature is fine, but most of users write big essay here. Even big photos can be found in signature.
Signatures just make the thread ugly. They just reduce the value of screen real estate. And, they make the webpage heavy, too.
The Awkward Situation: The post is 1 line long, but signature is 100 lines long.
There must be restrictions applied to signature size. I think, user profile is great place to enter big details.
If not, atleast, allow users to hide all signatures with one click.
SachinShekhar said:
There's no restrictions on size of signatures. 1 or 2 line signature is fine, but most of users write big essay here. Even big photos can be found in signature.
Signatures just make the thread ugly. They just reduce the value of screen real estate. And, they make the webpage heavy, too.
The Awkward Situation: The post is 1 line long, but signature is 100 lines long.
There must be restrictions applied to signature size. I think, user profile is great place to enter big details.
If not, atleast, allow users to hide all signatures with one click.
Click to expand...
Click to collapse
This topic has been discused a number of times and the outcome is always the same, if you think someone has got a signature that is to big then you can report them. I feel that this will never change, as signatures sevrve a good purpose if used in the correct way, penalising everyone because some members go over the top with their Sig, i feel is a wronge way to go.
What s.d. said is correct. Also, you can hide all signatures under your Edit Options page. Technically you uncheck the box to display them, not "hiding" as such. If you use Chrome you can also use Archer's XDA toolbar to selectively hide signatures and more.
mf2112 said:
What s.d. said is correct. Also, you can hide all signatures under your Edit Options page. Technically you uncheck the box to display them, not "hiding" as such. If you use Chrome you can also use Archer's XDA toolbar to selectively hide signatures and more.
Click to expand...
Click to collapse
Thanks..
That's the thing I was looking for.
What. The. Actual. F#&*
Seriously, some people are missing a brain or what?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
sdk16420 said:
What. The. Actual. F#&*
Seriously, some people are missing a brain or what?
Click to expand...
Click to collapse
And it's that scale of size I believe the OP is referring to, and think any mod seeing sigs of that size should have a word. The irritance of seeing such signatures is on par with posts that have quoted 10 scroll posts to reply with one line.
Information like what phone, ROM, baseband one is using should be tucked under the username in posts, like how they categorise information in Personality Cafe. Signatures should be limited to a certain overall length. Oversized images should be automatically resized.
Tom9 said:
Oversized images should be automatically resized.
Click to expand...
Click to collapse
Possibly to the users screen size. I've got 1920x1080 display on my laptop as I suppose quite a lot of members do so what might be gigantic to some is normal for others, although the screenshot above is still over the top no matter what screen size anyone has.
If a users signature is too big just PM the user and tell him about it.
If he disagrees you can PM a senior mod who can trim it down.
I usually suggest the use of
tags if there's lots of information.
example
Sent from my Nexus 7 using xda app-developers app
While this is definitely not a solution to the root of the problem, I have a temporary workaround for users with overly bloated sigs...
There's a browser extension called Stylish (Chrome | Firefox) that allows you to load custom CSS rules based on the current browser URI. I've set the following rules, among other minor tweaks of course... This way large sigs get scroll bars.
Code:
.postContent .postsig {
max-height: 250px;
}
I don't want to have to miss out on potentially helpful and interesting info in logical people's sigs just because there are people who think their sig is their own personal copy of Pinterest...
mf2112 said:
What s.d. said is correct. Also, you can hide all signatures under your Edit Options page. Technically you uncheck the box to display them, not "hiding" as such. If you use Chrome you can also use Archer's XDA toolbar to selectively hide signatures and more.
Click to expand...
Click to collapse
I have done this as I view on a Netbook and the scrolling was awful, I click on a user and view their sig in the profile if necessary.
tonyp said:
If a users signature is too big just PM the user and tell him about it.
If he disagrees you can PM a senior mod who can trim it down.
I usually suggest the use of
tags if there's lots of information.
example
Sent from my Nexus 7 using xda app-developers app
Click to expand...
Click to collapse
I would always recommend hide tags to anyone with images in their signatures. They allow you to have all your content, without forcing everyone to see it, every time you post.
Archer's toolbar was also mentioned, and this is an excellent option also, allowing you to hide the sigs of selected users, not just all or nothing
And yes, if you see something ridiculous, either report it, or send a PM to your friendly Forum or Senior Mod. We're only too happy to help

Boycotting Google.....

Ok, first off, no silly replies please. You can laugh but don't talk like a dumbass.
So here goes.... *deep breath*.......
Is there an alternative to Android (Google) that i can run on my HTC one x. I'm boycotting Google for the way they have handled the offensive video as of late on youtube.
To be frank, google dominates my life, contacts, gmail, photo's, chrome but i now want to boycott them. I know it'll be hard but i can try....
So, alternative OS to google which my one x can run?? Or do i need to buy an iphone
Mods, feel free to move this as appropriate.
What are you talking about......
And no is the answer
lol
somehow i'm not sure they will notice
anyways its your life, your choice..
windows phone, iphone, and blackberry, samsung bada, i think there's more, but none really are quite the same as android, imo you will be taking a big step backwards if you do choose to not use it.
only problem, is that your not really gonna be successful in finding one of those os's for the one x. somebody would have to make it, the same way as a custom rom, and the processor architecture could be different, and not supported by os etc etc, its a big mess and very very unlikely to ever happen - the old windows mobile phones got android, purely because winmo was complete crap, and android would have been considered an upgrade, the other os's; they would be considered by most as a downgrade, hence not bothering to do it
I'm guessing the OP is on about this video which Muslims are finding offensive
But to answer your question, no. You can't run anything other than Android on the One X at this time
CyanogenMod uses all the open source code from Android and makes the Google apps installation optional. If you boycott Google and don't want to know from them, you can use it if it's available on your 1X. The browser allows you to choose your search provided, right?
my apologies.. just could not resist
There is no non-Android OS for the HOX. You could however remove most if not all Google services from your phone. Root, and then install an AOKP or CM ROM, don't install the GApps. It might be useful to use Droidwall to block connections to specific Google servers as well. There will still be some things to do like making sure location services stay off, and you'll face some challenges, but you could cut the cord.
You'd need to sideload apps (no Play Store). Use something like Funambol for calendar/contacts/mail. Use Opera or Firefox browser and set default search engines to not be Google.
I can't decide if this would end up really sucky or really just the same!
Just go buy another phone. U cant please everybody in the world so boycotting google just because of this video is childish. They have offensive material to me posted on YouTube like videos glorifying the IRA but I won't boycott them because of it. So I suggest u either buy a new phone or quit ur b##chin
Sent from my HTC One X using xda premium
Goku80 said:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Click to expand...
Click to collapse
That's a bit uncalled for as this is a religious issue, not paranoia
EddyOS said:
That's a bit uncalled for as this is a religious issue, not paranoia
Click to expand...
Click to collapse
hehe sorry i just could not resist...i edited my post but on a serious note actually you can run another OS....problem is someone that can actually port it to the one x...Firefox OS..or mozilla think its called Gecko OS something like that...or as someone above said run JB without the Gapps
patp said:
There is no non-Android OS for the HOX. You could however remove most if not all Google services from your phone. Root, and then install an AOKP or CM ROM, don't install the GApps. It might be useful to use Droidwall to block connections to specific Google servers as well. There will still be some things to do like making sure location services stay off, and you'll face some challenges, but you could cut the cord.
You'd need to sideload apps (no Play Store). Use something like Funambol for calendar/contacts/mail. Use Opera or Firefox browser and set default search engines to not be Google.
I can't decide if this would end up really sucky or really just the same!
Click to expand...
Click to collapse
it's still running Google Android though?
Thanks guys, what a tremoundous and positive response! :fingers-crossed:
looks like CM to me.... even though they utilize majority of android.
But wasn't android made possible by Linux??
@ Goku - really dissapointed man. You're like one of the flag ship xda members. Meh
Boycott Google?
Good luck with that, what your after is an iphone - but guess what, all videos will still be on YouTube (aka gootube )
Anyway, what's the big fuss - I liked the video, reminded me of Harry Potter because of the old wizard.
Sent from my HTC One X using Tapatalk 2
Genkville said:
@ Goku - really dissapointed man. You're like one of the flag ship xda members. Meh
Click to expand...
Click to collapse
my bad my friend i apologize.....
Closed
Please read and respect the rules and post in proper sections

[Signatures] ☎ Create your own mobile devices timeline (phones history) - super easy

[Signatures] ☎ Create your own mobile devices timeline (phones history) - super easy
Hi,
A new free web service has been just released - Mowned.com.
You can create your own mobile devices showcase (timeline).
As users creates timelines (eg: add phones and year when they got them), some interesting data will appear (such as: appreciations, devices owned by years, etc - for example check this page).
.. but let's go back to the forum signature. You can create easily signature image that can be used in forums, etc. For an example of a generated signature check mine.
Steps:
Login with Facebook - just click that button, confirm the dialog from Facebook then your account is automatically created
Add your phones - the process is intuitive, you will see once you finish step 1
After you added all your phones click "Activate image signature" from bottom of your dashboard
Copy desired BBcode code generated with the signature image
That's all. You can have your signature in minutes.. in the case you remember all the data .
You may observe that some years in the signature are in gray color instead black. Black means that device is still owned, gray = device gone.
PS: phone years is not mandatory but nice to have (for statistics, as written above)
The service can be acccesed via:
mowned.com - users mobile devices timelines
Available signature formats
Standard
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Extended
Smart
Re
thanks i will try it out
Would be great if you didn't need to use Facebook for it to work.
XperienceD, "Login with Twitter" may be implemented soon. It's that ok for you, since Twitter share less information than Facebook?
Thanks
DSF said:
XperienceD, "Login with Twitter" may be implemented soon. It's that ok for you
Click to expand...
Click to collapse
Not really, no. I don't use anything that requires a login from either, especially when it's something I'm only ever going to use the once. Good luck with it though.
XperienceD said:
Not really, no. I don't use anything that requires a login from either, especially when it's something I'm only ever going to use the once. Good luck with it though.
Click to expand...
Click to collapse
^^^ Exactly what he said ^^^ I have no FaceBook account. I have no twitter account. I only have a G+ account because I need a Google account for my Android phone to function fully.
I look forward to the day when FB suddenly goes out of business and all these other companies are screwed - why they can't simply create their own log-in - or even better not require one - I don't understand.
Love the idea but why do you need a login in the first place?
I would remove the need (maybe give the option to) to get more people using it.. what's to stop someone else making a site that does the same but with no login?
Sent from my Nexus 7 using xda premium
Thank you guys for the replies.
XperienceD said:
Not really, no. I don't use anything that requires a login from either, especially when it's something I'm only ever going to use the once. Good luck with it though.
Click to expand...
Click to collapse
Yeap, but in future you get new devices so you need to update current phones list (timeline). If the phone's aren't linked to an user account you cannot edit..
SimonTS said:
^^^ Exactly what he said ^^^ I have no FaceBook account. I have no twitter account. I only have a G+ account because I need a Google account for my Android phone to function fully.
I look forward to the day when FB suddenly goes out of business and all these other companies are screwed - why they can't simply create their own log-in - or even better not require one - I don't understand.
Click to expand...
Click to collapse
I guess sites uses Login/Connect via Twitter, Google, Yahoo, Facebook because:
1) users that are using those platforms don't have to complete registrations forms.. just a few clicks and voila, you have access to the site. I personally prefer to login with Twitter and if I like a site and have this option I would sign in using this alternative
2) sites programmers don't have to stress with users creating process, eg: captcha, e-mail validation,etc.. Plus they got extra information, especially from Facebook, such as interests, etc (mowned.com doesn't store such information)
zacthespack said:
Love the idea but why do you need a login in the first place?
I would remove the need (maybe give the option to) to get more people using it.. what's to stop someone else making a site that does the same but with no login?
Click to expand...
Click to collapse
Login it's needed because:
- phones are linked to an account
- edit phones list in future (eg: add new device, correct device year from - to, etc)
- user-based phone list helps improve the statistics per phone, for example see this link: http://mowned.com/devices/samsung-galaxy-nexus-i9250
- rate phones (for the sake of statistics again)
So.. what's the purpose you may ask? Well, this way we may see most appreciated phones by owners, phones owned by years, most owned phones.. It's true that you need some amount of data to a have a proper view..
I will implement in the next days a solution for login with e-mail and password (so an valid e-mail and password is needed for registration).
Edit:
Has anyone tried this?
Hello,
Now there's the option to sign up with an e-mail.
http://mowned.com/account/index
DSF said:
Hello,
Now there's the option to sign up with an e-mail.
http://mowned.com/account/index
Click to expand...
Click to collapse
Seems to work, but I didn't get the timeline signature picture at the end.
Maybe it's because of my username with the underscore => "IT_ler" ?!
Or do I have to wait after creating my timeline before the jpg will be made and provided?
This should be the link for my timeline signature picture:
[url=http://mowned.com/it_ler][img]http://mowned.com/sig/it_ler.jpg[/img][/url]
EDIT:
Now it's fixed and working fine !
It_ler, yeap it was the underscore, the route didn't know about it (only about "-") so an 404 error was triggered. Now it's fixed.
Thank you for the report!
Cool! just don't like the red ad
Thanks a lot anyway!
XxStatiX thanks, now the logo part is tweaked a bit. Indeed it was too bulky and took too much space. + now it can show up to 11 phones instead 10. Do you think it's ok now?
(if you see no changes you have to refresh the page to force a new fresh request - instead it will show from your browser cache)
Okay i'm checking it out! Is it your website?
Thank you.. and yes
DSF said:
Thank you.. and yes
Click to expand...
Click to collapse
Used your website.. nice.. can you make it stretchable? I mean to different size option for image..
Just a suggestion to improve.. its nice already.. thank you..
Sent from the MUST have app!
nitubhaskar thank you!
Now the image stretches horizontally (its width) automatically. Eg: if you owned only 3 phones no need to make it 500px long..
Thanks for giving me this idea. So your signature image is 324 x 80 instead 500 x 80.
That's what I could do at the moment. The signatures aren't customizable per user (at least ATM).
Yay its Fixed! Exactly what i wanted,Adding phones now! Wait
Thanksssss!
---------- Post added at 09:49 PM ---------- Previous post was at 09:45 PM ----------
Wait im checking it here,Nice thanks! will spread the word.Like it!
Glad you like it and thanks for sharing!
Hi,
Now minimal information about most popular mobile phones (from mowned users input) is shown in main page of the site.
I'm thinking to add in near future an option for those who want only to generate signature images without creating an account. This data will not be merged with user phones database, so it will not help/affect the main statistics.

malware detected in google chrome

i got this strange page when i was visiting this thread
Code:
http://forum.xda-developers.com/showthread.php?t=1801464
i am not sure i am the only one getting this error
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
hope u guys can fix this thanks.
Got it too. I think the problems is where the pictures on the thread come from.
mfsr98 said:
Got it too. I think the problems is where the pictures on the thread come from.
Click to expand...
Click to collapse
Well that's what the error message states so yeah.....
OP, this is quite a common occurrence and happens when people choose to host images on less than reputable hosting sites. I'll look through the thread later and take out the offending image.
Sent From My Fingers To Your Face.....
I'm getting this from just about every link I click on for xda, but the malware listed is different.
hooked_on_droid said:
I'm getting this from just about every link I click on for xda, but the malware listed is different.
Click to expand...
Click to collapse
This is true. I have browsed several threads and got the same result
Sent from my SAMSUNG-SGH-I317 using xda app-developers app
Please fix this quickly.
I've gotten the same thing multiple times today.
For me, its on every XDA page that I enter.
But, I keep getting the same malware warning for "security.rltk.us " Doing research on that now.
Update: When I try to go to "security.rltk.us" I get a 403. When I google that malware, all that shows up is results for XDA and another supposedly infected site.
nate234 said:
For me, its on every XDA page that I enter.
But, I keep getting the same malware warning for "security.rltk.us " Doing research on that now.
Update: When I try to go to "security.rltk.us" I get a 403. When I google that malware, all that shows up is results for XDA and another supposedly infected site.
Click to expand...
Click to collapse
just started getting this same thing earlier today. Wasn't getting it this morning though.
Put adblock from the chrome store on. It clears it up. And you can remove later after XDA cleans up
Sent from my SPH-L710 using xda app-developers app
I'm a little surprised there isn't more discussion of this. I'm far from an expert but poking around the many JS files used on XDA I've noticed some suspicious shellcode in one of the Ad providers scripts. I'm fairly sure shellcode is not a common thing to use for an ad platform so maybe the ad provider has had part of their ad framework compromised? It's strange to see unobfuscated shellcode though, which seems rather lazy for typical browser exploits so this may just be strange/legitimate use of shellcode.
Again, by no means is this a definitive thing, just an observation based on what I understand.
EDIT: Looks like since last night Chrome is no longer reporting malware, so possibly the offending ad was removed? And it would appear the ad provider does intentionally use shellcode, as it's still present in their scripts.
I've flagged this for the server guru to take a look at. Not sure if he's around much the next day or two but it will be looked into folks don't worry.
Sent From My Fingers To Your Face.....
conantroutman said:
I've flagged this for the server guru to take a look at. Not sure if he's around much the next day or two but it will be looked into folks don't worry.
Sent From My Fingers To Your Face.....
Click to expand...
Click to collapse
Was curious myself and just did a little more digging on security.rltk.us. Appears Google Safe browsing has the originating site as blacklisted due to being categorized as "Adult & Pornographic content". No other checkers that knew of it had anything negative and not going to dig much further since 1) It's being addressed by mod and 2) Appears issue is cleared. Likely an ad associated with this domain and the message triggered because of the blacklist?
Per Sucuri SiteCheck the site itself has been blacklisted but clean, and provided a clean security report (warnings found):
Blacklisted: Yes
Malware: No
Malicious javascript: No
Malicious iFrames: No
Drive-By Downloads: No
Anomaly detection: No
IE-only attacks: No
Suspicious redirections: No
Spam: No
Plus it lists other sites that checked the domain and cleared it:
* Domain blacklisted by Google Safe Browsing: security.rltk.us - reference
* Domain clean by Norton Safe Web: security.rltk.us - reference
* Domain clean on Phish tank: security.rltk.us - reference
* Domain clean on the Opera browser: security.rltk.us - reference
* Domain clean by SiteAdvisor: security.rltk.us - reference
* Domain clean on Sucuri IP/URL malware blacklist: security.rltk.us - reference
* Domain clean by the Sucuri Malware Labs blacklist: security.rltk.us - reference
* Domain clean on Yandex (via Sophos): security.rltk.us - reference
Typically the "Red page of death" will come up when someone has linked an image to a hostname that is on the malware blacklist from Google, as conantroutman stated.
If there is an ad causing this (ie, if you see it on more than one thread) then it is possible there is a "Bad ad" being served. These are so customized that likely however much browsing I do I'll never come across it, so if anyone does have this issue and has the ability to determine which script exactly is causing the error, would love to hear it so we can yell at our ad provider.
That includes any shellcode that is being performed by an ad, would be very curious what they are doing.
We are blacklisting security.rltk.us from posting ads, the tough part is sometimes the ad is actually served from somewhere else that forwards to that domain name.
I think it's Google job they hate xda for mods/hacks like 4.2 camera is now blocking(ask to delete download links)
Merry christmas and Happy new year
Paulius
I got this too in the Nexus 7 section a few minutes ago. It was warning about freeimagehosting.net.
---------- Post added at 08:57 PM ---------- Previous post was at 08:55 PM ----------
Paulius7 said:
I think it's Google job they hate xda for mods/hacks like 4.2 camera is now blocking(ask to delete download links)
Merry christmas and Happy new year
Paulius
Click to expand...
Click to collapse
It's not Google. It's members who insist on using shady sites to host their photos and stuff. Those sites are blacklisted by Google and that's why the warning comes up.
I'm getting a warning for valid.canardpc.com when I try to go to this XDA page: http://forum.xda-developers.com/showthread.php?t=2483043&page=33

XDA Portal Security Update

We wanted to respond to the post on the Full Disclosure mailing list (link) regarding a vulnerability on XDA.
We can confirm that an admin account was compromised on the Portal portion of our site (also known as the blog or front page), however, no user accounts in the forums were compromised. XDA exists on two separate systems that live in two separate server environments and no user data is stored on the Portal servers where the issue happened.
At this point it appears that an admin account was compromised and used to gain access to the backend code on the WordPress site. We have patched this exploit and are continuing to review our code and policies to prevent this type of thing from happening again. We take security very seriously.
As a safety precaution, we've asked all Portal editors to change their password. Again we have no concern or evidence that XDA's user accounts were in any way compromised.
Our thanks to Steffen for reporting this. His attempts to contact us via other channels were unsuccessful mainly because we receive many emails on a daily basis about various topics, including people falsely claiming that our site is hacked. If anyone has information regarding a vulnerability, they can use the technical contact form on our site with details, or email me directly at security + at + xda-developers.com. When reporting a security vulnerability, make sure to include specific details so that we know that it is a real issue.
To follow up on what bitpushr said above, we've decided to create a dedicated page on the site where people from the community can report security vulnerabilities and understand our disclosure policy. Look for that in the coming days. In the mean time, feel free to use his email if you want to directly reach him and our team.
Thank you
Thank you for informing everyone about the incident and for taking user security serious.
Portal is hacked again.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What's uppening?
---------- Post added at 10:32 AM ---------- Previous post was at 10:21 AM ----------
The home page is now ok
And again.
Kim Jong Un is now here.
What does the database tar contain? Pretty sure it wasn't there before, so should we change our passwords?
Trafalgar Square said:
And again.
Kim Jong Un is now here.
Click to expand...
Click to collapse
Who is Kim Jong Un?
Portal and Forum are on different Servers.
You can change your pass, if you want to be sure.
As far as I know.
---------- Post added at 09:58 ---------- Previous post was at 09:57 ----------
Astrubale said:
Who is Kim Jong Un?
Click to expand...
Click to collapse
Korean dictator
Trafalgar Square said:
Portal and Forum are on different Servers.
You can change your pass, if you want to be sure.
As far as I know.
---------- Post added at 09:58 ---------- Previous post was at 09:57 ----------
Korean dictator
Click to expand...
Click to collapse
What? Why he is here?
Astrubale said:
What? Why he is here?
Click to expand...
Click to collapse
There was a GIF from him on the Portal site.
He hacked a server or admin account?
I don't know.
I am not the Admin.
Maybe it's a joke by the Admins. They are very funny sometimes
Trafalgar Square said:
I don't know.
I am not the Admin.
Maybe it's a joke by the Admins. They are very funny sometimes
Click to expand...
Click to collapse
I think no
Hey all, sorry it's no joke! But our wordpress and forum accounts are totally different. I am evaluating the portal server now, no need to change your password on XDA forum, although it is always good practice to change your passwords every few months, everywhere.
bitpushr said:
Hey all, sorry it's no joke! But our wordpress and forum accounts are totally different. I am evaluating the portal server now, no need to change your password on XDA forum, although it is always good practice to change your passwords every few months, everywhere.
Click to expand...
Click to collapse
Is it ok the web site now?
Since there's xda ad free now, I think it would be a good idea to launch some kind of a bug bounty program.
bitpushr said:
Hey all, sorry it's no joke! But our wordpress and forum accounts are totally different. I am evaluating the portal server now, no need to change your password on XDA forum, although it is always good practice to change your passwords every few months, everywhere.
Click to expand...
Click to collapse
This means files uploaded to xda forums are safe? Downloaded and installed an app when this went down.
Visi0nofExcellence2 said:
This means files uploaded to xda forums are safe? Downloaded and installed an app when this went down.
Click to expand...
Click to collapse
Wouldn't be the forum and the normal website be on different severs? So I guess its okay
Sent from my Moto G using Tapatalk

Categories

Resources