If you try changing the level to a period, the page conveniently tells you there are over 118k users in total (listing the first 10k), and MAY even show accounts without levels, but I'm not sure.
Combine this with the profile image URLs above and you may be able to find more admin account usernames if they have levels associated with them.
Open source that site. Vet a few devs to have access to the source to begin with then opensource it. Or even better, let the community rewrite the source from scratch. How hard can it be? and there are often a lot of people willing to contribute to open-source projects.
1. Your login page leaks information, as it returns "username not found" if you enter an invalid username. This is a bad idea. Better to simply say "login failed" in any case. Now, thanks to a few minutes of playing around, I have a fairly good idea that "admin" is a valid username on projecteuler.net. For the sake of argument, let's assume that's a real account, and actually has some administrative access... that's a bad idea. "Security through obscurity" is oft derided, but no sense making it easy for the bad guys. Make your admin username "flummoxedrabbit" or something that nobody bothers trying. As it is, I'm hoping this "admin" account is a dummy or a honeypot or something, but if it isn't, I definitely encourage you to change that and quit leaking username validity information.
2. From the limited testing I did, it doesn't appear that you limit the number of failed login attempts. Or if you do, the login limit is awfully high. I tried logging in 10 times and as far as I can tell, I could have kept going. If there really is no limit, it's probably not that hard to brute force your password. There are plenty of scripts and browser plugins to sit there and try to login repeatedly, trying to brute force forms like that.
3. In addition to limiting the number of login attempts, it's possibly a good idea to add a steadily increasing delay before accepting another login try from the same IP address, after each failed login. This will slow down at least some attempts to brute force your password.
4. You could consider some sort of Multi-Factor Authentication setup.
5. You could also consider adding code to do something similar to what fail2ban does, and automatically block connections from an IP where more than X failed logins originate in some period of time.
Regarding #1, telling the user that their login failed doesn't eliminate their ability to enumerate existing usernames. All they have to do instead is attempt to register a new account with the username they're testing. At some point, the site will have to tell them that the username already exists.
#2-#5 are all good points, though, and would help prevent username enumeration as well.
Another area I'd suggest looking into is your "recover your account key" setup. If the keys reallyreally are random, then this is probably fine. But if there's any flaw resulting in your generated keys being less than ideally random, somebody could have figured out a way to generate an account recovery key, and then used that to steal an administrative account. That is, assuming your administrative user even has that option. If it does, it might be a good idea to disable that, since you presumably have direct db access anyway, and can always backdoor your way in if you forget your own password.
It would be nice if source were provided, so that we can do a whitebox analysis. I don't have confidence that there is one single point of failure here, given that the site has already been compromised multiple times.
Especially since PE is such a technically simple site. It's login/logout, listing of problems, and confirmation/logging of problem success. It's simpler than the apps that beginning web framework tutorials show how to make.
Part of me learning to code was by going through the challenges on Project Euler and I always get a sense of nostalgia when reading about it.
It is a pity it keeps getting hacked. I think that the site owners are more interested in algorithms and mathematics than mundane engineering. It would probably be a good idea to open source the site.
I can't imagine the rationale for hacking projecteuler in the first place. Always a favorite place of mine as well and I still bring newbies to the scene there when I attempt to show them the basics of programming. I guess there's just an asshole for everything when you have hundreds of millions of people online these days. Sucks a bit doesn't it?
I am unable to login to my account, so I'm not able to test this. But if I remember correctly this site used a poor captcha. There has been a lot of advancement at captcha breaking software in recent years. If they used some kind of custom captcha to prevent password guessing, then it's not extremely secure.
Usernames cannot contain more than 32 characters
and they may only contain upper/lower case
alphanumeric characters (A-Z, a-z, 0-9), dot (.),
hyphen (-), and underscore (_).
Passwords must contain between 8 and 32 characters.
Haven't they been wrecked once before this most recent incident?
I find it concerning that folks are so eager to rush back into a warzone when they know it's not safe. Piling onto a recovering website after a cyberattack is akin to running back into a field where landmines were found. Maybe somebody was able to remove a landmine or two, but wouldn't it be wiser to just walk around it?
Except that as long as you use a unique password, and don't give any details that you don't mind falling into the wrong hands, there is absolutely no risk.
Please don't post backhanded swipes like this, or outright insults like "This guy is a moron." [1] The idea on HN is to comment civilly and substantively [2], or not at all.
I didn't down-vote you (yet), but I don't understand how asking for security help is the same as letting the site fall into obscurity. What modern development practices would you suggest?
Comments like this (sometimes) go half-way. If there's a point behind it, enumerate the ways you think would improve his practices.
It's a shame to not be more sympathetic to people with less experience or less time on their hands, especially when they run a widely appreciated site.
[+] [-] daguava|10 years ago|reply
Ex) https://projecteuler.net/profile/daguava.png
But you can also use this to quickly test the status of accounts.
For example, I was able to find Euler is an admin account by trying
https://projecteuler.net/profile/euler.png
It tells you it's admin in the image, why?
Edit: Wonder if they're exposing some vulnerability with the HTTP 300 Multiple Files they're returning.
If you try something like this: https://projecteuler.net/profile/.wat
the page confirms a .htaccess file exists at https://projecteuler.net/profile/.htaccess we also find one at https://projecteuler.net/.htaccess
While currently inaccessible, this is significant information leak
All directories allow this, so you can do some digging to find what files exist.
Edit 2:while logged in, you can enumerate all usernames with a skill level attached by using URLs like
https://projecteuler.net/level=1
If you try changing the level to a period, the page conveniently tells you there are over 118k users in total (listing the first 10k), and MAY even show accounts without levels, but I'm not sure.
Combine this with the profile image URLs above and you may be able to find more admin account usernames if they have levels associated with them.
[+] [-] mhink|10 years ago|reply
Kind of a jerk move.
[+] [-] ProjectEuler|10 years ago|reply
[+] [-] daguava|10 years ago|reply
https://projecteuler.net/level=19
Look for the gold stars
[+] [-] aikah|10 years ago|reply
[+] [-] tsukikage|10 years ago|reply
[+] [-] mindcrime|10 years ago|reply
1. Your login page leaks information, as it returns "username not found" if you enter an invalid username. This is a bad idea. Better to simply say "login failed" in any case. Now, thanks to a few minutes of playing around, I have a fairly good idea that "admin" is a valid username on projecteuler.net. For the sake of argument, let's assume that's a real account, and actually has some administrative access... that's a bad idea. "Security through obscurity" is oft derided, but no sense making it easy for the bad guys. Make your admin username "flummoxedrabbit" or something that nobody bothers trying. As it is, I'm hoping this "admin" account is a dummy or a honeypot or something, but if it isn't, I definitely encourage you to change that and quit leaking username validity information.
2. From the limited testing I did, it doesn't appear that you limit the number of failed login attempts. Or if you do, the login limit is awfully high. I tried logging in 10 times and as far as I can tell, I could have kept going. If there really is no limit, it's probably not that hard to brute force your password. There are plenty of scripts and browser plugins to sit there and try to login repeatedly, trying to brute force forms like that.
3. In addition to limiting the number of login attempts, it's possibly a good idea to add a steadily increasing delay before accepting another login try from the same IP address, after each failed login. This will slow down at least some attempts to brute force your password.
4. You could consider some sort of Multi-Factor Authentication setup.
5. You could also consider adding code to do something similar to what fail2ban does, and automatically block connections from an IP where more than X failed logins originate in some period of time.
[+] [-] function_seven|10 years ago|reply
#2-#5 are all good points, though, and would help prevent username enumeration as well.
[+] [-] dongkyun|10 years ago|reply
[+] [-] mindcrime|10 years ago|reply
[+] [-] krapp|10 years ago|reply
[+] [-] tedunangst|10 years ago|reply
[+] [-] dyoo1979|10 years ago|reply
[+] [-] mmanfrin|10 years ago|reply
[+] [-] trengrj|10 years ago|reply
It is a pity it keeps getting hacked. I think that the site owners are more interested in algorithms and mathematics than mundane engineering. It would probably be a good idea to open source the site.
[+] [-] codyb|10 years ago|reply
[+] [-] klekticist|10 years ago|reply
[+] [-] edem|10 years ago|reply
[+] [-] austenallred|10 years ago|reply
[+] [-] elchief|10 years ago|reply
[+] [-] jimmaswell|10 years ago|reply
[+] [-] brokentone|10 years ago|reply
[+] [-] aesthetics1|10 years ago|reply
[+] [-] Zikes|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] kelukelugames|10 years ago|reply
[+] [-] Houshalter|10 years ago|reply
[+] [-] sfrank2147|10 years ago|reply
[+] [-] krapp|10 years ago|reply
[+] [-] logicrime|10 years ago|reply
I find it concerning that folks are so eager to rush back into a warzone when they know it's not safe. Piling onto a recovering website after a cyberattack is akin to running back into a field where landmines were found. Maybe somebody was able to remove a landmine or two, but wouldn't it be wiser to just walk around it?
[+] [-] lukev|10 years ago|reply
Unlike, for example, actual mines.
[+] [-] kiba|10 years ago|reply
I haven't found any indication that the website behind Project Euler is open source or follow open source development processes.
[+] [-] mathetic|10 years ago|reply
[+] [-] hamza001|10 years ago|reply
[deleted]
[+] [-] adamzubi700|10 years ago|reply
[deleted]
[+] [-] zajd|10 years ago|reply
edit. Such as allowing people to audit the source of the site as opposed to requesting pentesting.
[+] [-] dang|10 years ago|reply
1. https://news.ycombinator.com/item?id=10023513
2. https://news.ycombinator.com/newsguidelines.html
[+] [-] smoyer|10 years ago|reply
Comments like this (sometimes) go half-way. If there's a point behind it, enumerate the ways you think would improve his practices.
[+] [-] ajkjk|10 years ago|reply
[+] [-] goldenkey|10 years ago|reply
[+] [-] dang|10 years ago|reply
[+] [-] revskill|10 years ago|reply
[+] [-] elektromekatron|10 years ago|reply
Also:
Github Presence != Open Source
Open Source != requirement in asking for help/advice