| This is terrible. |
| Interesting. Hopefully the problem is revolved. |
 All credit goes to Sacred. |
ReaperCreeper said: Well I'm staying off the forums until this is resolved. I don't need to see gore images any time soon. Wrong answer I suggest to install adblock and greassmonkey in your browser |
 |
ThisNameSucks said: your credentials into login pop ups I lol'd |
 |
Hidayat246 said: ReaperCreeper said: Well I'm staying off the forums until this is resolved. I don't need to see gore images any time soon. Wrong answer I suggest to install adblock and greassmonkey in your browser I still don't get why people still don't install adblock as soon they get a browser. Few minutes and you are 90% safe from most scams. Still didn't know about greassmonkey,hmmm for Mozzila. |
 I painted my teary face with a disguised smile[COLOR=#ff3333] and pretended it was a cry out of joy.[/COLOR] |
Emnay said: the fear is realssj is back |
| In a club a similar pop-up appeared, I just ignore them but some people don't... I hope they're able fix this soon. |
| I'm learning English so maybe I make mistakes :) |
| Saw some pics yesterday. Was quite surprised since didn't he attack the site a few months ago? That's twice in a year? That's new, it's usually just once a year. |
Paul said: 'Tis the season.Saw some pics yesterday. Was quite surprised since didn't he attack the site a few months ago? That's twice in a year? That's new, it's usually just once a year. |
| Let's hope they don't steal another admin account and change anime info, though I doubt any admins or mods would fall for it. |
grave_robber said: Let's hope they don't steal another admin account and change anime info, though I doubt any admins or mods would fall for it. An admin's account has never been hijacked since I've been on this website. When the anime database information have been massively changed, Jackson_H's (anime DB mod) account got compromised. At that time, the user supposedly got phished. This is pretty much alike, just being internal. Take extra caution. :) |
| SSJ strikes again |
 Nico- said: Conversations with people pinging/quoting me to argue about some old post I wrote years ago will not be entertained@Comic_Sans oh no y arnt ppl dieing i need more ppl dieing rly gud plot avansement jus liek tokyo ghoul if erbudy dies amirite |
| Thanks for the warning. |
Emnay said: ALL HAILssj is back What a wonderful Christmas Present |
 |
Subpyro said: grave_robber said: Let's hope they don't steal another admin account and change anime info, though I doubt any admins or mods would fall for it. An admin's account has never been hijacked since I've been on this website. When the anime database information have been massively changed, Jackson_H's (anime DB mod) account got compromised. At that time, the user supposedly got phished. This is pretty much alike, just being internal. Take extra caution. :) phishing can include stealing someone's account(by stealing their credentials). I should have picked my words carefully, I didn't mean site admin, I meant DB users with admin-like powers so they can do CRUD operations (create, read, update & delete) on the records. A DB mod would have such a DB user account. Anyhoo, I hope MAL staff will get things sorted out with the least amount of discomfort for all, especially them. It's really annoying to have to deal with this during the holidays. Good luck and thank you for all your hard work MAL staff! |
| Phishing is not a possibility of hijacking someone's account, but is in fact an action of hijacking someone's account through the means of posing a fake lure. When I've said no admin's account got compromised, I meant all the admins, DB and Site alike. As said, it was the moderator that has been attacked, and they do have the access power to change database entry information. |
| Thanks for this. |
| Happy Holidays & Thanks for the warning |
| Thank you for the info! |
 |
Cakedog said: You basically don't have to worry about anything if you have even a basic ad blocking plugin in your browser. The malicious script appears to be blocked when using any blocker, yes. Still, even if you're using it, don't act too fast if you see any pop-ups whatsoever. That is for the example shared in the OP. Everything else can reach you even if you are using script blockers, but for that read earlier replies on the thread. |
| I've never had this problem, but sometimes when I go on MAL it logs me out. |
 |
Subpyro said: Still, even if you're using it, don't act too fast if you see any pop-ups whatsoever. Those Examples mentioned in the OP differ extremely, though. One has to be really stupid inattentive to not notice the Difference between the two Pop-ups. I mean, the squared instead of round Window, the "Authentication required" Title, the missing "Register" Button and the strange URL should raise red Flags to anyone. To be honest, even after having read this News, I haven't paid too much Attention to the actual Login-URL. In most Cases, I open MAL with a Bookmark to the main page, else over Google or another Search Engine, but when I open it from there, I normally don't log-in anyway. I've got Firefox-based browsers, which I'm primarily using, set up to always display the full URL like this:  and the important Part (myanimelist.net) stays highlighted, so I can easily see when I'm on the wrong Page.I think it was the Value browser.urlbar.trimURLs which should be toggled to "false" in the about:config. Since I've blocked Third-Party Scripts and all kind of Ads anyway, normally, there shouldn't be any Issues for me when clicking on the Login Button at the Top of the Main Page unless the Site itself would be compromised. But considering the Fact that MAL doesn't use a secured TLS Connection with "https:", it would be probably much easier to start a Man-in-the-middle-Attack than to compromise the Site itself. Or the bad People just outsource even that and simply use a Third Party Script like they're already doing, so as long as it stays like that, it's very easy to protect oneself, but when the Main Page Scripts are compromised and/or the unsecured connection is intercepted, you're screwed, anyway. As for the mentioned List, I've added all Entries to my Blocklist, although I have seen legit, non-disturbing Images from imageban.ru and I can't really make Sense of Blocking the Kid Buu Image, unless the Entry was added to make ignoring certain People more easily. With that Setup, I haven't seen any disturbing Images at all, so you can't count on me to report anything in that Regard, when I don't see anything. To sum it up, as long as the Perpetrator(s) doesn't/don't put more Effort, it's easy to protect oneself against the disturbing Images and the Phishing. |
Subpyro said: As said, it was the moderator that has been attacked, and they do have the access power to change database entry information. Poor moderator, hacking a site like MAL is such an evil thing to do. >_> ziggy_Z said: I've never had this problem, but sometimes when I go on MAL it logs me out. It happens to me quite often (ever since I signed up in 2009), I simply re-login. |
Noboru said: Since I've blocked Third-Party Scripts and all kind of Ads anyway, normally, there shouldn't be any Issues for me when clicking on the Login Button at the Top of the Main Page unless the Site itself would be compromised. But considering the Fact that MAL doesn't use a secured TLS Connection with "https:", it would be probably much easier to start a Man-in-the-middle-Attack than to compromise the Site itself. Or the bad People just outsource even that and simply use a Third Party Script like they're already doing, so as long as it stays like that, it's very easy to protect oneself, but when the Main Page Scripts are compromised and/or the unsecured connection is intercepted, you're screwed, anyway. I wonder if the HTTPS would as the ending result truly benefit the website more than it hurts it. Indeed, wiretapping and man-in-the-middle attacks can be performed on user-community websites such as Mal and having a secure protocol set would be a wise move, but that is if the servers could handle it. Encrypting and decrypting data takes its toll overall, and with bandwidth issues Mal is constantly experiencing (I'm sure you've experienced the lag yourself before), the weight put-on would be just too much. At the end of the day, there are so many bugs on Mal and such server issues that two things would simply need to be done in order to increase the functionality drastically: Re-write the code from scratch (it's not as horrible as it sounds), as well as perform a move to better servers if the processing wouldn't improve by the change in the code alone. |
Subpyro said: I wonder if the HTTPS would as the ending result truly benefit the website more than it hurts it. That is one of the Questions where you should be glad that they don't have to do it right now, meaning, there would be known Cases en mass about it, however, the Point still stands. I agree with you that there needs to be done much Effort in the technical Background, but on the other Hand, I can somehow understand if it's still only one Person doing the Coding and new/better Server (Upgrade)s don't fall from the Sky and run with Air and Love alone and it's already kind of sad imho when you have to block Ads/Scripts just to stay safe while still having the Comfort of using Windows. |
| I just got this A username and password are being requested by http://www.alletscheisse.de. The site says: "myanimelist.net login required" when I entered to this guy profile http://myanimelist.net/profile/Xiniil |
 |
AllenVonStein said: Same, that guy posted a picture on a club that I handle and got the pop-up. Immediately deleted his post and voila, no more pop-ups.I just got this A username and password are being requested by http://www.alletscheisse.de. The site says: "myanimelist.net login required" when I entered to this guy profile http://myanimelist.net/profile/Xiniil |
"Your taste is shit cause you like what I hate. Believe me I have 1000 cartoons that I rated with less than 5."  |
Cashdax said: AllenVonStein said: Same, that guy posted a picture on a club that I handle and got the pop-up. Immediately deleted his post and voila, no more pop-ups.I just got this A username and password are being requested by http://www.alletscheisse.de. The site says: "myanimelist.net login required" when I entered to this guy profile http://myanimelist.net/profile/Xiniil Who the fuck is him? mods please ban this guy |
|
Subpyro said: At the end of the day, there are so many bugs on Mal and such server issues that two things would simply need to be done in order to increase the functionality drastically: Re-write the code from scratch (it's not as horrible as it sounds), as well as perform a move to better servers if the processing wouldn't improve by the change in the code alone. Revamping the site is not as horrible as it sounds indeed, if it were ever to happen I'd recommend doing it with angularJS+bootstrap, make it a SPA (single page app) with REST web APIs/services on the server. It'll work nicely, be secure, provide a rich user experience and it'll look great too. <3 Server issues are not my area of expertise but load balancing issues (I assume they're using a server farm not a single server) can be fixed by changing the software and/or hosting process. Unless the servers are old and need to be replaced. |
| why the fuck would people hack fucking mal accounts hack something worth ur time |
| Full time redditor and fedora owner, gg |
AllenVonStein said: Cashdax said: Same, that guy posted a picture on a club that I handle and got the pop-up. Immediately deleted his post and voila, no more pop-ups. Who the fuck is him? mods please ban this guy There are various people who are doing this, not just Xinii. Examples: Jupkmn (Who I can accurately say started this whole fiasco) and YuroNoMajo were neutralized the day of this thread. If none of you are aware yet, and probably can assume as much, the pictures that are randomly being posted in your clubs are in fact causing the pop-up and these people should be brought to a moderator's attention. All you can do to extensively defend yourselves and others is to delete the picture, remove the user from the club, ban the user, and bring it to a moderator's attention, and just go from there. Commenting w/ Subpyro in a club earlier today, the hacker could be stockpiling accounts for a big ol' attack and pull a Summer Wars on us. And Yes, I included this just so I could reference Summer Wars. :p |
Robokiller87Dec 26, 2014 2:20 PM
 |
Robokiller87 said: Commenting w/ Subpyro in a club earlier today, the hacker could be stockpiling accounts for a big ol' attack and pull a Summer Wars on us. And Yes, I included this just so I could reference Summer Wars. :p More like Winter Wars at this time of the year. :p But yes, do take the advice Robo above has given. Specific users are being "infected" and the number only grows. We could choose not to follow who and simply look at the big picture until the entire matter is taken care of, but pinpointing fresh changes is also an option. I recommend the later while taking uttermost caution. |
| SSJ is back! I seriously think he is an MAL user cause I mean why else would he attack yearly? |
"What has two arms, two legs, and is alive? Not your favorite character lol! xD" |
Roloko said: SSJ is back! I seriously think he is an MAL user cause I mean why else would he attack yearly? What's Your Evidence? |
|
Roloko said: SSJ is back! I seriously think he is an MAL user cause I mean why else would he attack yearly? Because he's an a** |
| Thanks for the info :D |
 |
| This is why you always use adblock. |
| Thanks for the warning. |
 |
| Thank you very much for your helpful information. Now I know what domains and images I should block. |
 |
| I had posted the following suggestion as a countermesaure against basic access authentication injection over a year ago but it was ignored. I'll post it again, betting on the slim chance that someone reads it this time. http://myanimelist.net/forum/?topicid=671199&show=140#msg25775993 basmimarsinan said: As mentioned a few times before, the solution to the basic access authentication injection would be making sure the URL given to the img tag is a real image. However, doing this every time for every img tag with PHP isn't be viable for a site of huge size like this, since you have to download the image or a part of it. I was thinking that maybe you could make clients do the pre-check rather than handling it server-side. For instance, all img tags could be parsed with a loading image as a place holder and once the page loads, a JavaScript function could first make sure that the image is valid and then embed the image. In my tests with Chrome and Safari, if you provide a username and password for the AJAX call, browser doesn't trigger the basic access authentication pop-up. Here's an example code I have been testing things with: https://gist.github.com/silentguardian/7005884 I'm no expert when it comes to client-side scripting, so I'm sure if this will be a huge burden to the browser. Maybe images could be embedded as the image comes in sight of the user and this may even speed up the page loads or images that can't be loaded maybe marked as broken and removed in fail method. If the behavior is the same in other browsers too, it might be something to consider. |
| And slowly, you come to realize... It's all as it should be... |
basmimarsinan said: I had posted the following suggestion as a countermesaure against basic access authentication injection over a year ago but it was ignored. I'll post it again, betting on the slim chance that someone reads it this time. http://myanimelist.net/forum/?topicid=671199&show=140#msg25775993 basmimarsinan said: As mentioned a few times before, the solution to the basic access authentication injection would be making sure the URL given to the img tag is a real image. However, doing this every time for every img tag with PHP isn't be viable for a site of huge size like this, since you have to download the image or a part of it. I was thinking that maybe you could make clients do the pre-check rather than handling it server-side. For instance, all img tags could be parsed with a loading image as a place holder and once the page loads, a JavaScript function could first make sure that the image is valid and then embed the image. In my tests with Chrome and Safari, if you provide a username and password for the AJAX call, browser doesn't trigger the basic access authentication pop-up. Here's an example code I have been testing things with: https://gist.github.com/silentguardian/7005884 I'm no expert when it comes to client-side scripting, so I'm sure if this will be a huge burden to the browser. Maybe images could be embedded as the image comes in sight of the user and this may even speed up the page loads or images that can't be loaded maybe marked as broken and removed in fail method. If the behavior is the same in other browsers too, it might be something to consider. there are lots of programming/coding suggestions that was made in the past too but MAL staff keeps ignoring it, i say do not count on it, the staff like Xinil rather work on adding more advertisement banners (MAL on mobile has too much ads now) than solving the problems of the website |
| thnx |
 |
| Thank you for the warning and the hard work to solve this. Hacking and gore images, just why... :( |
Azphix said: IndeedThis is why you always use adblock. |
-Positive and negative energy coexist to exist- |
More topics from this board
» Moderators Wanted! Accepting applications for all positionsKineta - 1 hour ago |
0 |
by Kineta
»»
1 hour ago |
|
» [Challenge] You Should Read This Manga 2024 ( 1 2 3 4 5 )Kineta - Feb 23 |
208 |
by hawkpelt5
»»
Today, 1:49 AM |
|
» Try MAL's New Mobile Site! ( 1 2 3 4 5 ... Last Page )Xinil - Feb 15, 2015 |
423 |
by RED-clover12
»»
Apr 24, 10:19 AM |
|
» Planned 5hr Maintenance, Thursday April 25 @ 1am-6am PTKineta - Apr 22 |
0 |
by Kineta
»»
Apr 22, 8:10 PM |
|
» New Site Update: Peak Anime 🗻 ( 1 2 3 4 5 )Kineta - Mar 31 |
213 |
by Lancelot73
»»
Apr 21, 4:28 AM |