Shing Chat Hack, Feb 18, 2023

Shing.tv was attacked on February 18, 2023, during Big Floppa's Shit Shoah with Gypsy Crusader as a guest.

The attacker was able to obtain channel moderator status by executing a standard HTTP request to add a moderator to a channel.  The service wasn't correctly checking if the person making the request is the channel owner, and would allow pretty much anyone to make themselves a moderator. The attacker would then issue commands over Shing Chat's WebSocket as a chat moderator, which grants them permission to execute a variety of commands against the client.

At first, the attacker presented as a "penetration tester" who was only reporting the bug. The attacker then claimed to have, "Told a friend about the bug," who then executed the attacks. This is a lie. The ban and un-ban activity was coming from the same IP address, and there were at least two IP addresses used in the attack. Both addresses were running all attack logic.

No meaningful user data was comromised during the attack, but many channels had their "banned members" data corrupted by the attack banning literally everyone from every channel. System-level account bans remain in effect, but I did have to clear channel bans. We have removed the malicious user accounts as moderators from all channels, and we have also removed them as users of the system (banned).

Risk Statement

I have addressed what was learned to be vulnerable, but that's never a guarantee that I found and fixed everything. There simply are times when it's a best practice (and safer for you) to throw the platform into maintenance mode. This was one of those times. No data can be accessed while in maintenance mode, which gives me the time to repair and audit the system in a controlled environment.