Author Topic: Blockland Glass is compromised [update: contained] [CHANGE YOUR PASSWORDS]  (Read 9065 times)

Working to restore access with Jincux, but until further update, you should uninstall blockland glass and support_updater to avoid getting served bad addon updates

Blockland glass has been taken down and the issue has been contained. You do not need to delete blocklandglass or support_updater anymore, if you haven't already.

If you reused a password for your blockland glass account, change your password on every other site you used the password on. I cannot emphasize this enough.
« Last Edit: April 19, 2023, 08:38:56 PM by Conan »

celau is confirmed to have admin access to glass, including access to the database which contains hashed+salted passwords
have fun

celau is confirmed to have admin access to glass, including access to the database which contains hashed+salted passwords
have fun
so yeah probably change ur passwords if u have an account on blg


so yeah probably change ur passwords if u have an account on blg

People gotta learn to use different passwords for stuff man. Even big companies get their stuff hacked from time to time.

People gotta learn to use different passwords for stuff man. Even big companies get their stuff hacked from time to time.
Half of all American SSNs were leaked by an Equifax breach (iirc because of bad patch management)... everything online is vulnerable


celau is one of those turno-autists whos a master hacker but also has a psycholoveual obsession with kids toys

Dude i loving hate this

celau is one of those turno-autists whos a master hacker but also has a psycholoveual obsession with kids toys

he's not even a master hacker he just gets other people to do the dirty work for him and plasters his own name all over it (see: the rce exploit)

Blockland glass has been taken down and the issue has been contained. You do not need to delete blocklandglass or support_updater anymore, if you haven't already.

Blockland glass has been taken down and the issue has been contained. You do not need to delete blocklandglass or support_updater anymore, if you haven't already.
as an addendum:
passwords were publicly leaked - addon names were changed to blid/password combinations. apparently an improper hash algorithm was used (updated per conan's post below) rendering the hashes vulnerable to bruteforcing. if you share your blockland glass password with other accounts, change those passwords immediately.
additionally the attacker(s) were able to access an api key for jincux's stripe account and gained access to e-mail addresses and his 1099-k tax documents which they then released info from through the same method of addon renaming.
edit: i got a couple details wrong whoops. been hearing conflicting stuff lol
« Last Edit: April 19, 2023, 08:21:50 PM by Mr Queeba »

it wasnt the salting system but rather the hashing algorithm choice. if you ever make a website with user accounts, only ever use hash algorithms specifically designed for passwords. you actually want hashing of a password to take somewhere between 0.01 to 0.1 seconds, depending on the scale of your application - this significantly mitigates brute forcing which was what was used to retrieve the passwords for the accounts in the database.

as an addendum:
addon names were changed to blid/password combinations presumably associated with the author of each addon.
the blid pw combos had nothing to do with the addon authors, those addons specifically were being used because they were on the front page, all of the ids are those of people ive never heard of (i.e. not the authors) except for lord tony

additionally celau and co
i think youre really handicapped and dont have a clue
the blid pw combos had nothing to do with the addon authors, those addons specifically were being used because they were on the front page, all of the ids are those of people ive never heard of (i.e. not the authors) except for lord tony
no he just ran an insert command down the database for the addon tables data
it wasnt the salting system but rather the hashing algorithm choice. if you ever make a website with user accounts, only ever use hash algorithms specifically designed for passwords. you actually want hashing of a password to take somewhere between 0.01 to 0.1 seconds, depending on the scale of your application - this significantly mitigates brute forcing which was what was used to retrieve the passwords for the accounts in the database.
shoulda used bcrypt L.O.L.!