Popular manga reader MangaDex has decided to rebuild its website after suffering a major breach which compromised its source code and potentially a customer database.
The “scanlation” site enables fans of certain titles to read them in their own language for free. However, last Wednesday it discovered an unauthorized individual had managed to gain access to an administrator account, after stealing a session token by exploiting a web vulnerability.
The site was brought back online after the MangaDex team patched the vulnerabilities they found but was forced offline again after the attacker accessed the account of one of its developers.
In the meantime, possession of that key allowed the attacker to steal and subsequently post a link to the site’s source code on a git repository. In a game of cat-and-mouse, the attacker posted messages claiming the MangaDex team had fixed two out of three key CVEs.
Instead of playing the game, the admins have decided to keep the site offline while they build a new, more secure version.
“As of writing, we have invited numerous volunteers to assist our developers with identifying the last possible CVE claimed by the attacker in the codebase. Thanks to our volunteers, we have identified a good number of potential security flaws and moved to rectify them. However, at time of writing, we have still yet to identify the last possible CVE claimed by the attacker,” they said.
“With that knowledge in mind, we were confronted with a difficult decision. If we had assumed incorrectly that the web code is now secure, we could end up being compromised again by the attacker. As a result of that, in good conscience, we could not possibly re-open the website to users presently.”
Given the staff of the site consists mainly of volunteers, it could take some time before it is back online.
“As developing and maintaining MangaDex is nobody’s actual job, it is difficult to give an accurate estimate as to when we’ll be back up and running. It should go without saying that every one of us wants it to happen as soon as safely possible,” the note continued.
“That said, if everything goes as smoothly as we dare to hope, we could be looking at a downtime of just a week or two. Or three.”
In the meantime, MangaDex warned users that they should assume their data has been compromised.
“As a user, we will encourage that you would assume that your data has been breached, and take precautions immediately, such as changing the passwords of any accounts that might share the same password as your MangaDex account,” it said. “As a generally good security practice, password managers are highly recommended to keep your online identity secure.”
The “scanlation” site enables fans of certain titles to read them in their own language for free. However, last Wednesday it discovered an unauthorized individual had managed to gain access to an administrator account, after stealing a session token by exploiting a web vulnerability.
The site was brought back online after the MangaDex team patched the vulnerabilities they found but was forced offline again after the attacker accessed the account of one of its developers.
In the meantime, possession of that key allowed the attacker to steal and subsequently post a link to the site’s source code on a git repository. In a game of cat-and-mouse, the attacker posted messages claiming the MangaDex team had fixed two out of three key CVEs.
Instead of playing the game, the admins have decided to keep the site offline while they build a new, more secure version.
“As of writing, we have invited numerous volunteers to assist our developers with identifying the last possible CVE claimed by the attacker in the codebase. Thanks to our volunteers, we have identified a good number of potential security flaws and moved to rectify them. However, at time of writing, we have still yet to identify the last possible CVE claimed by the attacker,” they said.
“With that knowledge in mind, we were confronted with a difficult decision. If we had assumed incorrectly that the web code is now secure, we could end up being compromised again by the attacker. As a result of that, in good conscience, we could not possibly re-open the website to users presently.”
Given the staff of the site consists mainly of volunteers, it could take some time before it is back online.
“As developing and maintaining MangaDex is nobody’s actual job, it is difficult to give an accurate estimate as to when we’ll be back up and running. It should go without saying that every one of us wants it to happen as soon as safely possible,” the note continued.
“That said, if everything goes as smoothly as we dare to hope, we could be looking at a downtime of just a week or two. Or three.”
In the meantime, MangaDex warned users that they should assume their data has been compromised.
“As a user, we will encourage that you would assume that your data has been breached, and take precautions immediately, such as changing the passwords of any accounts that might share the same password as your MangaDex account,” it said. “As a generally good security practice, password managers are highly recommended to keep your online identity secure.”