In the world of free software, such nice and curious things happen that it’s right to talk about it. A world where you get an email from a hacker, and it’s going to be good news.
Here’s what happened:
Parth Narula wrote to us from India in early September, asking for permission to do an analysis of our platform, which we gave. And he found two vulnerabilities that we could improve. In both cases, they are not security or performance issues that harm our users due to our actions, but they are points in our system that a malicious actor could misuse to perform attacks such as flooding their mailboxes with emails, or inviting a user to download malware.
Because in the quest to offer resilient and secure software, we also have to anticipate all the different paths that malicious actors could create to cause damage and seek compensation. In our domain, a bit of paranoid thinking is more than useful ;)
So Parth’s analysis and recommendations led us to quickly review and resolve three points of our CMS dashboard to prevent them from being vulnerable to malicious attack.
-
We improved the protection against “brute force”, which prevents a type of attack where millions of passwords are tried on us, but at the same time allowing users to make a normal use of the login, make a mistake when typing it and retry.
-
We improved protection against sending email confirmations and password unlocks, preventing a type of attack that is done by asking for this process many, many times and flooding the mailbox with unsolicited email.
-
We limit the incorporation of links in an unnecessary space on our sites, which would allow a malicious hyperlink mailing attack to unsuspecting people, potentially turning us into a phishing platform.
Specifically, the Sutty CMS panel is our most sensitive piece of security because it is our only dynamic part. This means, in plain English, that it generates content on the go, depending on databases and server-side procedures: complex processes that can be exploited if they are not well protected.
Its security requires additional measures such as access controls, input validation and continuous monitoring. This is why all the websites we make are, instead, “static” or “solid”, as interactive and beautiful as any other but with a technical solution that simplifies how they are generated on the server and drastically reduces vulnerabilities to the most common Internet attacks, such as automated infection with malware, advertising, webshellz and even, as they use fewer resources, increasing the cost of doing denial of service (DOS) attacks.
Other actions that constitute our approach to cyber security include having multiple servers up and running, being very obsessive about not requesting or storing personal information, and making encrypted, remote backups of everything. What we do in our infrastructure is public here: https://0xacab.org/sutty/ansible and here https://gitea.nulo.in/Sutty/-/packages.
In addition, all changes that Sutty users make to their sites are registered in a way that can be undone. This means that if someone gains access to the manager and makes improper changes, we can help you undo it. Improper access can occur either by simple issues such as leaving open the session on a shared computer or more complex, such as an attack that exploits a vulnerability in the platform or uses social engineering techniques (that is, it is not a technical issue but a deception for a person to give the access keys believing that he/she is leaving them to another trusted person).