MCSchematics
* * *

Advertisement

Recent

Members
  • Total Members: 253069
  • Latest: Syladara
Stats
  • Total Posts: 96294
  • Total Topics: 14212
  • Online Today: 365
  • Online Ever: 1642
  • (August 14, 2014, 05:49:01 PM)
Users Online
Users: 1
Guests: 306
Total: 307

YOU ARE NOT LOGGED IN TO THIS WEBSITE

Please login to your account, or register a new account if you do not have one.  When you view this website without logging in, you are viewing this site in "Guest" mode and you will not be able to see any images and more importantly, won't be able to download any schematics that our members have made available on MCSchematics.com

- Thank you -

This message will go away when you are logged into an account on this site.

306 Guests, 1 User

ENJOYING THE VIEW?

Thanks for stopping by McSchematics.com, home to over 10,000 schematics!


After choosing some schematics to download from our wide variety of schematics available to you, please feel free to enlarge this collection by including your own builds, be it complete ones or simply parts or pieces of a larger build that never came to fruition. Who knows? Maybe your schematic(s) will at the top of the frontpage for the whole world to see.

Author Topic: No site security  (Read 2016 times)

0 Members and 2 Guests are viewing this topic.

Offline NotSecure

  • *
  • Posts: 2
  • Reputation: 0
  • Minecraft Username: nowayinhell
No site security
« on: January 15, 2018, 07:05:45 AM »
So my son wanted to do something in Minecraft involving schematics.  Googling led me to this site.  As a cybersecurity professional, I was frankly stunned by what I saw.

For starters, the site doesn't use HTTPS.  In English, that means the content is unencrypted (unscrambled) when your browser talks to the server.  That means that your user name, your *password*, your *minecraft user name* (if you added it at registration) can be read by anyone on the internet.  There are people out there who run programs 24/7 to intercept web traffic.  A website with lots of users and no security like this site will be at the top of their list for harvesting user accounts. You wouldn't let someone broadcast your user name and passwords over radio and simply pray that no one else is listening.  That is what this site is doing.

Second, this website is trying to force its users to mine the crytpocurrency called monero (it's like bitcoin) for them without users' knowledge or consent.  Setting aside the ethical question, the mining programs being downloaded often contain malware that goes after other parts of your computer looking for anything it can steal - like your keystrokes the next time you log into something more sensitive.  There's also the performance hit if you keep the browser open.  Mining cryptocurrency takes alot of computer horsepower away from whatever else you're doing. 

And before any poorly-informed/inexperienced staff start crying 'welp', I invite them to spend 30 minutes googling what I've said.  After that, they can decide if they really don't care that this site is making their own user data available to anyone listening AND using their own computer to mine cryptocurrency with getting malware/spyware as an added bonus. To help start them on their journey, google "Why use https instead of http?". 

If the site owner has no idea where to start, start here: https://www.simplemachines.org/community/index.php?topic=555034.msg3934593#msg3934593 .  This is the websites of the forum product used at mcschematics.com and even *they* use https, as demonstrated in the link.  It will show how to convert this forum, and perhaps the rest of this site to HTTPS.  Since your site collects user information (with passwords and minecraft user names) you owe it to your users to run a secure site.

For anyone interested in the status of their own user credentials, google "Troy Hunt" (and no I'm not affiliated with him in any way) and once your satisfied that he's one of the security good guys, navigate to his site:  https://haveibeenpwned.com and see if your accounts have already been compromised (it's a free service).  And if your accounts come back as compromised, don't panic but do log on to those accounts and change your passwords as soon as possible - except at this site.  Any change you make here will be broadcast out in the open.  And bad guys *are* listening.
« Last Edit: February 04, 2018, 12:03:35 PM by Censink »

MCSchematics

No site security
« on: January 15, 2018, 07:05:45 AM »

Please login to your account, or register a new account if you do not have one.  When you view this website without logging in, you are viewing this site in "Guest" mode and you will not be able to see any images and more importantly, won't be able to download any schematics that our members have made available on MCSchematics.com

- Thank you -


Offline Scaget

  • Staff
  • *
  • Posts: 1,034
  • Reputation: 3523
  • Gender: Male
  • I am never late, everyone else is just early.
    • The News
  • Minecraft Username: Scaget


And before any poorly-informed/inexperienced staff start crying 'welp', I invite them to spend 30 minutes googling what I've said.  After that, they can decide if they really don't care that this site is making their own user data available to anyone listening AND using their own computer to mine cryptocurrency with getting malware/spyware as an added bonus. To help start them on their journey, google "Why use https instead of http?". 


Going to assume the "any poorly-informed/inexperienced staff" is referring to me since the people who own this website aren't on at all. 


Just to give you an FYI, I started out as a normal users such as yourself, once this played died and went up for sale there was really nothing going on. The place was bought and I was offered a position as the sole remaining mod in order to keep the spam to a minimum. After a while I asked for Admin perms so I could update the frontpage whenever a new schematic was sporadically posted. I am nothing short of a janitor, I don't know code or have any interest in doing research into a topic that I don't understand very well and very likely couldn't even do anything about.


If you want to say "What the creeper is this?" send it to the owners


BzUrQ - thebzerker@gmail.com (Website Owner)
Censink - Censink@live.nl (Website Dev)

These two are the ones who decide what is put on (ie that cryptocurrency mining creeper) and what kind of security the website has, I don't deal with any of that because I don't know or care to learn all the back end.

Why don't I care you obviously ask? Because I don't get anything from bothering to come on here, I'm only here so that if some kid or parent comes to McSchematics, that the recent topics aren't flooded with russian porn and products bots.

P.S BzUrQ hasn't been on since 2015 and Censink (who I'm 90% sure is the one who added the coin thing on) hasn't been on since November.

MCSchematics


Offline NotSecure

  • *
  • Posts: 2
  • Reputation: 0
  • Minecraft Username: nowayinhell
Going to assume the "any poorly-informed/inexperienced staff" is referring to me since the people who own this website aren't on at all. 
Someone relatively recently altered the site to mine "monero" cryptocurrency for them.  It aligns with the Dev's appearance on the site but if that wasn't either of them, then this site has even bigger problems.  Kinda makes me wonder if the currency mining is for the owner...or for the dev himself. 

Just to give you an FYI, I started out as a normal users such as yourself, once this played died and went up for sale there was really nothing going on. The place was bought and I was offered a position as the sole remaining mod in order to keep the spam to a minimum. After a while I asked for Admin perms so I could update the frontpage whenever a new schematic was sporadically posted. I am nothing short of a janitor, I don't know code or have any interest in doing research into a topic that I don't understand very well and very likely couldn't even do anything about.
It's great that your volunteering to do this for the site, but you're one of the users currently being victimized by the site owner's abject irresponsibility.

Why don't I care you obviously ask? Because I don't get anything from bothering to come on here, I'm only here so that if some kid or parent comes to McSchematics, that the recent topics aren't flooded with russian porn and products bots.
What you personally need to care about is that every time you visit this site, your user name and password are broadcast in clear text across the internet.  You should assume that your profile information (email addresses, etc) are out there too because when you update your profile at all, that information is broadcast too.  It's the same for every user of this site.  The *least* the owners could do  is to not be so utterly careless with your personal data (and everyone else's too).   Good luck - because on this site, that's all you've got.  Over and out.

Offline mtov

  • *
  • Posts: 1
  • Reputation: 0
  • Gender: Female
  • Minecraft Username: yo
Yeah sure, worry about the SSL of a Minecraft Forums bro. Its not a banking website and if you want to use only HTTPS why are you even here.

Offline Censink

  • Staff
  • *
  • Posts: 2
  • Reputation: 0
  • Gender: Male
    • Crewniverse
  • Minecraft Username: censink
Hey, I randomly decided to check on the site after (indeed) months of inactivity, and noticed this post in the recents.
You are right on both problems.

We do not use SSL and haven't in the past, we'll be looking to secure traffic in the near future if the site remains under Bz's ownership (believe it or not but we are getting some offers).

There is a coinhive mining script on the site. This was not done with our knowledge and consent and i'm investigating how it ended up in the code. Hopefully I can find out who is responsible for it too. I know how this comes across but I promise neither Bz or me have any interest in Monero or mining in general. Mining on visitors' machines without notifying them is simply unacceptable and should not happen on any sort of site. Bz and my neglect for the site should not result in these kinds of practices where visitors fall victim.
The script will be removed as soon as possible. Script has been removed.

Thanks a lot for bringing this under our attention

Update:
After some light digging it appears the 'attacker' left very little traces and seemed to have deleted the logs afterwards (yeah this forum software allows you to do that for some stupid reason). Only Bz, me, Scaget and the previous website owner have rights to add something like that and I have now stripped the latter of any and all admin rights. We'll monitor the site and take action if this happens again.
« Last Edit: January 30, 2018, 04:16:00 AM by Censink »

Offline DeLacy

  • *
  • Posts: 5
  • Reputation: 0
  • Gender: Male
  • Minecraft Username: Addan_Deith
Re: No site security
« Reply #5 on: February 06, 2018, 06:14:03 PM »
I did notice my laptop - which I do not run anti-malware on - was acting strange when browsing MCSchem, like actively getting hotter and using the hardware. On my desktop, MalwareBytes AntiMalware blocked IP's for outgoing, and my computer was not actively using hardware on MCSchem. This is when I hypothesized something malicious was trying to use my computer's hardware on MCSchem, most obvious being crypto.
Disappointed to see my suspicions correct. MCSchem might want to... oh, I dunno, run with HTTPS?

Offline City Builder

  • *
  • Posts: 2,557
  • Reputation: 534
  • R.I.P Weston - Nov 25, 2005 - July 15, 2010
    • MineCraft Schematics
  • Minecraft Username: CityBuilder
Re: No site security - all user information, including passwords, are exposed.
« Reply #6 on: February 12, 2018, 07:30:10 PM »
Feel free to remove me as admin,  The only time that I act as admin is when I get an email telling me something (like tonight) that there are links to porn sites in messages here and that kids using the site should not be subject to such things.  To these messages I try my best to go and delete the posts asap, but I ignore the other messages like account deletions.  So removing me from admin will stop me from getting these admin messages and alleviate me as suspect of injecting malicious code into the site.

By the way... We went through this when I owned the site, not the same problem but exploits in the forum software that allowed people to inject malicious code into either the code that runs the site or into data that is presented to the user and on our host they would regularly scan our site files and remove common code that had been injected.  For example people at one time used to be able to inject malicious code into the jpg image files so that when they were displayed, it would popup a malicious website etc.

Make sure that you update the forum software every time they find an exploit or release a patch, it will protect you (help you anyway) to avoid what exploit they found.

Edit: I see I've been put down to moderator, please just put me down to regular member again (or create new group of "ex-owners" with a fancy forum title bar, then when you sell the site you all can be "ex-owners" too with just regular members permissions LOL).

P.S And let me just say that I haven't a clue how the whole electronic currency thingy actually works (nor do I own any, or mine any, or look to get any).  The only thing I know about bitcoin was that they lost a quarter of their value which was reported on the local news stations, other than that I haven't a clue about the whole mining currency thing.

Hey, I randomly decided to check on the site after (indeed) months of inactivity, and noticed this post in the recents.
You are right on both problems.

We do not use SSL and haven't in the past, we'll be looking to secure traffic in the near future if the site remains under Bz's ownership (believe it or not but we are getting some offers).

There is a coinhive mining script on the site. This was not done with our knowledge and consent and i'm investigating how it ended up in the code. Hopefully I can find out who is responsible for it too. I know how this comes across but I promise neither Bz or me have any interest in Monero or mining in general. Mining on visitors' machines without notifying them is simply unacceptable and should not happen on any sort of site. Bz and my neglect for the site should not result in these kinds of practices where visitors fall victim.
The script will be removed as soon as possible. Script has been removed.

Thanks a lot for bringing this under our attention

Update:
After some light digging it appears the 'attacker' left very little traces and seemed to have deleted the logs afterwards (yeah this forum software allows you to do that for some stupid reason). Only Bz, me, Scaget and the previous website owner have rights to add something like that and I have now stripped the latter of any and all admin rights. We'll monitor the site and take action if this happens again.
« Last Edit: February 12, 2018, 07:48:57 PM by City Builder »
  • My Minecraft Server Address: 69.27.127.226:25565
Minecraft Schematics at: MCschematics.com
-A growing community of Minecraft players and  (MCedit) Schematics .  Now with over 225,000+Members


I'm not a bird, I do not tweet!

 

Advertisement

Hey! If you use AdBlock, please disable it on our website, advertisements keep the website running and we promise not to obstruct your view. Our ads are chosen by Google based on your interests.