Howdy, I'm the person who """hacked""" Social Rumbles chat and ruined it for you all (sorry about that).
Let me preface this by saying I have no beef against Dheirya whatsoever. They're just an innocent Replit user who made a neat little site, and I happened to come across it at just the right time. In the past, I've been responsible for a few attacks like these, and most of them involve this same vulnerability. I didn't even need to write my own client script like the post mentioned, I simply hit F12 and accessed the site's premade socket through the console.
It's vulnerabilities like this which make for good learning experiences, and furthermore I don't think this was too much of an overreaction. Although I find it a bit weird that it takes two whole days to get the site back up and running again, it beats having the exploit leaked and having to deal with multiple attackers.
A solution to preventing people from accessing the socket directly from the console: use an IIFE. Any variables and things like that are blocked from the global scope, meaning you can't access them in the browser. Unfortunately, that does not cover writing an external client, though how you go about fixing that is up to you.
Was what I did right? No. Was what I did funny? At the time, yes. Will I keep doing this? Probably not, but still at my own expense if so. Definitely not to Social Rumbles, I think Dheirya has had enough of this.
P.S. I was not actually the one to send the impregnation message, that was a friend of mine.
Lol yeah looking back it was kinda funny. My servers are kinda designed strangely so when I shut it all off, it takes some time to get them back running.
Honestly I knew something was kinda up before the fake messages because I kept getting spam messages from fake usernames (anon12438911 or something) but I decided not to stop it because I thought you were just changing your username or something.
The only reason I shut down the whole server in all honesty was because A) I though the admin got hacked B) I kind of got pissed by the impregnation messages lol.
In all honesty, I would've never realized the problem until your friend sent that message, because it used my username.
I feel like there are better ways you could've told me about this exploit, maybe send me a message or report it, buh ehh you can't change the past. (plus it was kinda funny)
About the fix, I had my dad (an experienced programmer since 2001) review my code and he decided that I should temporarily remove the chatting section since there are a lot of potential vulnerabilities (especially with how the sockets are written), bigger and more dangerous vulnerabilities. Also if I was to put it back I would also make sure to verify in the socket backed that the username that was sent from the user was the same user. I'll also not hold plain usernames in the db and actual user objects so you can't make fake usernames.
So yeah no beef with ya, honestly what you did was kinda funny. Just maybe next time just tell the site owner about the exploit before you use it?
Howdy, I'm the person who """hacked""" Social Rumbles chat and ruined it for you all (sorry about that).
Let me preface this by saying I have no beef against Dheirya whatsoever. They're just an innocent Replit user who made a neat little site, and I happened to come across it at just the right time. In the past, I've been responsible for a few attacks like these, and most of them involve this same vulnerability. I didn't even need to write my own client script like the post mentioned, I simply hit F12 and accessed the site's premade socket through the console.
It's vulnerabilities like this which make for good learning experiences, and furthermore I don't think this was too much of an overreaction. Although I find it a bit weird that it takes two whole days to get the site back up and running again, it beats having the exploit leaked and having to deal with multiple attackers.
A solution to preventing people from accessing the socket directly from the console: use an IIFE. Any variables and things like that are blocked from the global scope, meaning you can't access them in the browser. Unfortunately, that does not cover writing an external client, though how you go about fixing that is up to you.
Was what I did right? No. Was what I did funny? At the time, yes. Will I keep doing this? Probably not, but still at my own expense if so. Definitely not to Social Rumbles, I think Dheirya has had enough of this.
P.S. I was not actually the one to send the impregnation message, that was a friend of mine.
Lol yeah looking back it was kinda funny. My servers are kinda designed strangely so when I shut it all off, it takes some time to get them back running.
Honestly I knew something was kinda up before the fake messages because I kept getting spam messages from fake usernames (anon12438911 or something) but I decided not to stop it because I thought you were just changing your username or something.
The only reason I shut down the whole server in all honesty was because A) I though the admin got hacked B) I kind of got pissed by the impregnation messages lol.
In all honesty, I would've never realized the problem until your friend sent that message, because it used my username.
I feel like there are better ways you could've told me about this exploit, maybe send me a message or report it, buh ehh you can't change the past. (plus it was kinda funny)
About the fix, I had my dad (an experienced programmer since 2001) review my code and he decided that I should temporarily remove the chatting section since there are a lot of potential vulnerabilities (especially with how the sockets are written), bigger and more dangerous vulnerabilities. Also if I was to put it back I would also make sure to verify in the socket backed that the username that was sent from the user was the same user. I'll also not hold plain usernames in the db and actual user objects so you can't make fake usernames.
So yeah no beef with ya, honestly what you did was kinda funny. Just maybe next time just tell the site owner about the exploit before you use it?
Good idea.
lmao