Mangadex Has Been Hacked, Users Should Assume Data Has Been Breached

[Karlston]

Mangadex Has Been Hacked, Users Should Assume Data Has Been Breached

 

MangaDex, a scanlation platform with tens of millions of monthly visitors, has announced it will be offline until further notice. According to its operators, a "malicious actor" gained access to administrator and developer accounts last weekend emailed some users with a warning. Regular users are being advised to assume that their data may have been compromised.

 

With the rise in popularity of manga comics and magazines in the West, sites like MangaDex are proving irrestable to millions of fans.

 

This so-called ‘scanlation’ platform – a portmanteau of ‘scan’ and translation’ – offers manga titles in languages other than their original titles. These transformed publications are then offered to a new audience but one that doesn’t have to pay for the privilege.

 

A year ago, MangaDex was pulling in an estimated 30 million visits per month but according to SimilarWeb stats, that figure has reached more than 75 million. However, due to exceptional circumstances, those visitors – at least for the foreseeable future – will have to obtain their content from elsewhere.

MangaDex Says it Was ‘Hacked’ Last Week

In an announcement Sunday, MangaDex revealed that in addition to mitigating DDoS attacks, last week it was subjected to a much more serious security threat.

 

On March 17, MandaDex’s operators said that they discovered that a “malicious actor” had gained access to an administrator account by reusing a session token found in an old database leak. However, while it was possible to identify and patch the vulnerable piece of code, a further review of the site revealed additional problems.

 

“After the breach, we started spending many hours reviewing the code for possible further vulnerabilities, and started to patch what we could find to the best of our capabilities,” the MangaDex statement reads.

 

“This ran parallel to us opening the site after the breach, as we had incorrectly assumed that the attacker would not be able to gain further access. However, as a precaution, we had started rolling out monitoring of our infrastructure and had remained vigilant in the event the attacker returned.”

MangaDex Returns – But Not For Long

According to the site’s operators, early on Saturday the attacker gained access to a developer account belonging to an individual who had been offline for four days. The site was immediately shut down (less than a minute) so that further investigations could be carried out. Within minutes, however, a reported 10 users of MangaDex received an email from the attacker.

 

“MangaDex has a DB leak,” it read. “I suggest you tell their staff about it.”

 

MangaDex says that there was a ransom request for “10k BTC [sic] or everything goes public” but there’s still no evidence that a database breach occurred. However, “for best security practices, we will assume it has happened,” they warn. [See update below]

 

Just short of two hours after the developer account was accessed, the attacker reportedly updated a git repository containing a source code leak, noting that MangaDex had patched two out of three CVEs (Common Vulnerabilities and Exposures). Nevertheless, MangaDex’s operators “assumed the worst-case scenario” and decided to keep the site down for further investigations.

Ongoing Work to Secure The Site

“As of writing, we have invited numerous volunteers to assist our developers with identifying the last possible CVE claimed by the attacker in the codebase,” MangaDex continues.

 

“Thanks to our volunteers, we have identified a good number of potential security flaws and moved to rectify them. However, at time of writing, we have still yet to identify the last possible CVE claimed by the attacker.

 

“With that knowledge in mind, we were confronted with a difficult decision. If we had assumed incorrectly that the web code is now secure, we could end up being compromised again by the attacker. As a result of that, in good conscience, we could not possibly re-open the website to users presently.”

 

The MangaDex operators say that having considered several options for reponening, they have decided the platform will remain closed until v5 of the site (a total platform rewrite) is working up to a base level, one that at a minimum will allow users to read, follow and upload content.

Security of Users

MangaDex appears to be handling the hacking incident with professionalism, including full disclosure and by not playing down the potential severity of any breach. At this stage, they know that the attacker has gained access to information not seen by regular users but there is still no evidence of a full-host or recent database breach. That being said, the advice is for users to consider their information compromised.

 

“As a user, we will encourage that you would assume that your data has been breached, and take precautions immediately, such as changing the passwords of any accounts that might share the same password as your MangaDex account. As a generally good security practice, password managers are highly recommended to keep your online identity secure,” the operators conclude.

 

When the site will return is still unclear, with estimates ranging from one to two or even three weeks. In the meantime, the site is advising people to obtain updates from Twitter.

 

Update: An earlier version of this article indicated that no ransom had been demanded by the attacker. MangaDex informs TorrentFreak that “10K BTC” was requested which the team believes relates to “10k USD in Bitcoin rather than 600M USD in Bitcoin.”

 

 

Mangadex Has Been Hacked, Users Should Assume Data Has Been Breached

[mood]

MangaDex manga site temporarily shut down after cyberattack

 

 

Manga scanlation giant MangaDex has been temporarily shut down after suffering a cyberattack and having its source code stolen.

 

MangaDex is one of the largest manga scanlation (scanned translations) sites where visitors can read manga comics online for free. According to SimilarWeb, MangaDex is the 179th most frequently visited site on the web, with over 76 million visitors per month.

 

After suffering a series of outages since March 17th, MangaDex revealed yesterday that a threat actor had gained access to an admin and developer account, as well as the source code to the site.

 

According to an announcement now showing on Mangadex.org, a threat actor gained access to the site after stealing an admin user's session token through a website vulnerability. 

"Three days ago (2021-03-17), we correctly identified and reported that a malicious actor had managed to gain access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management."

"Following that event, we moved to identify the vulnerable section of code and worked to patch it up, also clearing session data globally to thwart further attempts at exploitation through the same method," MangaDex disclosed on their website.

 

Using this token, the hacker was able to gain full access to the website and download the site's source code. The attacker then published the site's source code on GitHub using the alias 'holo-gfx.'

 

While the site audited their code and fixed vulnerabilities, the attacker would taunt the site's developers with comments when a vulnerability was fixed.

 

Threat actor taunting the MangaDex devs

 

When asked what type of vulnerabilities were fixed, the threat actor stated the first was a "File type confusion" bug, and the second they were keeping secret.

 

After MangaDex learned that the threat actor still had access to their environment, they announced that they were temporarily shutting down the site while they worked on and launched a more secure 'v5' version of the site.

 

"Due to a recent hacking incident, MangaDex will be down until further notice.

Instead of keeping up a likely vulnerable website and wasting our time and efforts playing cat-and-mouse with constant attacks from DDoS to hacking, we have decided to take this opportunity to refocus and expedite our planned rewrite of the site, called v5. Contrary to our original plans, however, we will be launching this v5 as soon as the minimum essential features are ready.

As developing and maintaining MangaDex is nobody's actual job, it is difficult to give an accurate estimate as to when we'll be back up and running. It should go without saying that every one of us wants it to happen as soon as safely possible.

That said, if everything goes as smoothly as we dare to hope, we could be looking at a downtime of just a week or two. Or three." - MangaDex.

 

However, the threat actor remains undaunted, stating that there are further RCE vulnerabilities and web shells in place that MagaDev's code rewrite would protect against. Whether this is true is unknown.

 

Holo-Gfx warning of RCE vulnerabilities and web shells

 

The threat also states that they have dumped the MangaDex database but have not published it anywhere.

 

Due to the largely unfettered access the threat actor appeared to have on the site, MangaDex stated that all users should assume that their data has been exposed. 

"Moving forward however, it is in both our users’ interest and ourselves that we will consider the database breached," MangaDex warned.

 

With this in mind, it is advised that all users change their passwords at any other site using the same passwords as MangaDex.

 

If the database is eventually published, users should be on the lookout for phishing scams conducted by the other threat actors.

 

 

Source: MangaDex manga site temporarily shut down after cyberattack