FA+
Shop
What Just Happened, For Nontechnical Members
a year ago
Disclaimer: I'm not (at the time of writing) part of FA's staff, nor affiliated with them. I'm just a programmer with experience trying to explain technical stuff to nontechnical people. My information on what happened is based entirely off the official announcements; I'm merely a translator here.
Now that we're all back in action, there's probably a lot of people wondering what just happened, even those who were in the FA Discord like me and keeping up with the updates from the staff. To a lot of people, terms like 'domain' and 'registrar' might not make sense, and it might also seem weird that they logged everyone out but aren't forcing a password change this time. So here is my best attempt to explain all of this in the hopes that anyone can understand it. I may simplify some things here and there to make it easier to understand, so if you're technologically inclined please don't "Well ackshually" me in the comments unless I got something objectively wrong.
Then, someone hacks Google Maps and changes the recorded location of FA's building. The building still exists, and is under control of FA's owners. They still have the keys to all the doors and the codes to the safe in the basement (the database, in this extended metaphor). But anyone asking for directions to FA gets sent to somewhere else, possibly to a building that looks just like FA's building and has staff inside wearing fursuits and pretending to the be the original staff to fool you and steal your money/cards/ID.
This includes the mailman, who in FA's case delivered the mail to the wrong address because his GPS told him the building had moved (and in this metaphor the mailman just blindly follows the directions and doesn't question that the building moved suddenly). The hacker told Twitter "Hey I lost my keys can you send me some new ones" and Twitter went "Sure no problem we'll mail them to The FA Building" and that allowed the hacker to get the keys to both FA and Dragoneer's Twitter accounts.
As of today, the Google Maps entry has been fixed and now points back to the real FA building. Because nobody ever entered the building who wasn't supposed to, and the vault in the basement was never touched, there is no need for additional security measures (changing passwords). However, all the currently active visitor badges have to be canceled and new ones must be issued, because someone could have visited the fake-FA building and had their badge stolen and there's no way to know for sure, so better safe than sorry.
The process of turning a domain name (such as furaffinity.net) into an IP address is handled by DNS (Domain Name System). I won't get too deep into the details but basically there are DNS servers on the internet that take these requests ("Where is furaffinity.net?") and reply with the answer ("It's at 104.22.46.79"). Different servers answer requests for different domains, and they can ask each other. It's Complicated™.
I do not know, nor do I claim to know, how it was compromised, but the hacker managed to gain access to FA's account at company that controls the DNS server that answers the requests for furaffinity.net. By changing the settings they can make the server give a different IP address than the real one, and send people to the wrong site. And they did - this caused the initial errors that were observed because they didn't set everything up right (something something SSL Certificates, this is meant to be an explanation for nontechnical people and I'm not getting too deep into it). They changed this a few more times but by then the staff had gotten the word out that the domain was compromised.
As for the Twitter accounts, because the hacker controlled which servers the "furaffinity.net" domain points to, they were able to redirect any mail going to an "@furaffinity.net" email address. They set up their own email server, and intercepted that email. The Twitter accounts for FA and Dragoneer are (or at least, were) linked to addresses that end with "@furaffinity.net", and what happens when you click the "I forgot my password" link on most websites? That's right, they send you an email, which the hacker intercepted, and used to reset the passwords on those accounts, compromising them. (Moral of the story: Enable two-factor authentication on everything you possibly can, so that even if someone does this, they still can't login because they don't have your phone.)
As of today, the DNS entry is fixed and correctly points back to FA's servers. Nobody ever got the credentials to any of the admin accounts, and the database wasn't broken into, so there's no need for people to change their passwords. So, why did they log everyone out?
Once you have logged into a website, there needs to be some way to keep you logged in so that you don't have to enter your username and password on every single page. One way this is usually done is with a 'session token'. When you log in, the server gives you a token, and then every time you load another page, your browser provides that token as part of the request. The server looks at the token, checks that it matches the one it has in its database as the currently active token for you, and (assuming it matches) answers your request. This is the visitor badge in my high-level metaphor: something issued to you, only valid for a set amount of time (but it can be renewed), used to prove your identity more quickly so you don't have to dig your driver's license and proof of address out every time you go through a door.
The issue is that your browser includes this token with EVERY request to furaffinity.net - even if the address of "furaffinity.net" has changed in the background, and even if it goes to a defunct page. So, during the time where furaffinity.net pointed to a different IP address, any request going there would include a user's session token. Since that token is basically the equivalent of a stolen visitor's badge, it could be used to get access to someone's account (this is called 'session hijacking'). To prevent this from happening, FA terminated all active sessions. As a result, everyone has to log back in again and get new session tokens. But because you provide the token instead of a password, you don't need to change your password.
Hope this helps give some better understanding/insight of what happened these last few days!
Now that we're all back in action, there's probably a lot of people wondering what just happened, even those who were in the FA Discord like me and keeping up with the updates from the staff. To a lot of people, terms like 'domain' and 'registrar' might not make sense, and it might also seem weird that they logged everyone out but aren't forcing a password change this time. So here is my best attempt to explain all of this in the hopes that anyone can understand it. I may simplify some things here and there to make it easier to understand, so if you're technologically inclined please don't "Well ackshually" me in the comments unless I got something objectively wrong.
High Level Metaphor
Pretend that FA is a physical building that exists somewhere in the world.Then, someone hacks Google Maps and changes the recorded location of FA's building. The building still exists, and is under control of FA's owners. They still have the keys to all the doors and the codes to the safe in the basement (the database, in this extended metaphor). But anyone asking for directions to FA gets sent to somewhere else, possibly to a building that looks just like FA's building and has staff inside wearing fursuits and pretending to the be the original staff to fool you and steal your money/cards/ID.
This includes the mailman, who in FA's case delivered the mail to the wrong address because his GPS told him the building had moved (and in this metaphor the mailman just blindly follows the directions and doesn't question that the building moved suddenly). The hacker told Twitter "Hey I lost my keys can you send me some new ones" and Twitter went "Sure no problem we'll mail them to The FA Building" and that allowed the hacker to get the keys to both FA and Dragoneer's Twitter accounts.
As of today, the Google Maps entry has been fixed and now points back to the real FA building. Because nobody ever entered the building who wasn't supposed to, and the vault in the basement was never touched, there is no need for additional security measures (changing passwords). However, all the currently active visitor badges have to be canceled and new ones must be issued, because someone could have visited the fake-FA building and had their badge stolen and there's no way to know for sure, so better safe than sorry.
More In-Depth Explanation
Firstly, when you type "www.furaffinity.net" into the browser (or load a bookmark, or go to any page that's part of FA...), what actually happens is that your browser needs to know where that is. There's millions and millions of possible places it could be - it's like if I told you to go to "My Office". Well, where the heck is that? For you, in the real world, you'd need a street address, and directions. For your browser, it needs what's called an IP Address. You've probably seen these, they're typically four sets of numbers from 0 to 255 separated by periods. FA's IP address, for example, is 104.22.46.79.The process of turning a domain name (such as furaffinity.net) into an IP address is handled by DNS (Domain Name System). I won't get too deep into the details but basically there are DNS servers on the internet that take these requests ("Where is furaffinity.net?") and reply with the answer ("It's at 104.22.46.79"). Different servers answer requests for different domains, and they can ask each other. It's Complicated™.
I do not know, nor do I claim to know, how it was compromised, but the hacker managed to gain access to FA's account at company that controls the DNS server that answers the requests for furaffinity.net. By changing the settings they can make the server give a different IP address than the real one, and send people to the wrong site. And they did - this caused the initial errors that were observed because they didn't set everything up right (something something SSL Certificates, this is meant to be an explanation for nontechnical people and I'm not getting too deep into it). They changed this a few more times but by then the staff had gotten the word out that the domain was compromised.
As for the Twitter accounts, because the hacker controlled which servers the "furaffinity.net" domain points to, they were able to redirect any mail going to an "@furaffinity.net" email address. They set up their own email server, and intercepted that email. The Twitter accounts for FA and Dragoneer are (or at least, were) linked to addresses that end with "@furaffinity.net", and what happens when you click the "I forgot my password" link on most websites? That's right, they send you an email, which the hacker intercepted, and used to reset the passwords on those accounts, compromising them. (Moral of the story: Enable two-factor authentication on everything you possibly can, so that even if someone does this, they still can't login because they don't have your phone.)
As of today, the DNS entry is fixed and correctly points back to FA's servers. Nobody ever got the credentials to any of the admin accounts, and the database wasn't broken into, so there's no need for people to change their passwords. So, why did they log everyone out?
Once you have logged into a website, there needs to be some way to keep you logged in so that you don't have to enter your username and password on every single page. One way this is usually done is with a 'session token'. When you log in, the server gives you a token, and then every time you load another page, your browser provides that token as part of the request. The server looks at the token, checks that it matches the one it has in its database as the currently active token for you, and (assuming it matches) answers your request. This is the visitor badge in my high-level metaphor: something issued to you, only valid for a set amount of time (but it can be renewed), used to prove your identity more quickly so you don't have to dig your driver's license and proof of address out every time you go through a door.
The issue is that your browser includes this token with EVERY request to furaffinity.net - even if the address of "furaffinity.net" has changed in the background, and even if it goes to a defunct page. So, during the time where furaffinity.net pointed to a different IP address, any request going there would include a user's session token. Since that token is basically the equivalent of a stolen visitor's badge, it could be used to get access to someone's account (this is called 'session hijacking'). To prevent this from happening, FA terminated all active sessions. As a result, everyone has to log back in again and get new session tokens. But because you provide the token instead of a password, you don't need to change your password.
Hope this helps give some better understanding/insight of what happened these last few days!
drag_seduction
~dragseduction
Thanks for the explanation for everyone. I think other will appreciate it ^^’=‘^^
You're very welcome!
Mighty1
~mighty1
Ty!
Wheremi
~wheremi
Appreciated.
