MangaDex, the online repository of manga animation comics, will be closed until further notice following a hacking incident.
Last week, the site reported that a cyberattacker had gained access to an administrative account, “through the reuse of a session token found in an old database leak through faulty configuration of session management.”
After remediating the issue by clearing all sessions globally, the site’s builders took a look at the code that runs MangaDex, trying to patch any vulnerabilities they came across as they went along. However, while the code review was ongoing, the same adversary was then able to access one of MangaDex’s developer accounts, stealing the site’s version-three source code. The attacker’s likely motivation was to cause “maximum disruption” to the site, according to MangaDex.
“While the attacker gained access to information not typically visible from the context of a normal user, we have not been able to confirm a full host compromised, or an up-to-date database breach,” the site announced. “As a user, we will encourage that you would assume that your data has been breached, and take precautions immediately, such as changing the passwords of any accounts that might share the same password as your MangaDex account. As a generally good security practice, password managers are highly recommended to keep your online identity secure.”
Multiple Site Vulnerabilities
The attacker also taunted the site’s operators with knowledge of security bugs in the codebase, which is the main reason that MangaDex went offline, it said.
“The attacker had updated the git repository containing the source-code leak, claiming that we had successfully patched two out of three possible CVEs,” according to a website notice posted on Sunday. “Without any way to confirm the claims, we assumed the worst-case scenario and kept the site down to further investigate.”
Volunteer-run MangaDex plans to take the time it needs to complete a site re-write that will be based on version five of the source code. That could take as long as three weeks, it estimated.
MangaDex plans to expedite its return by going online once the basic functions of version five are ready: Namely, to allow readers to read and follow manga titles and to allow groups to upload “scanlations” of comics.
“Instead of keeping up a likely vulnerable website and wasting our time and efforts playing cat-and-mouse with constant attacks from [distributed denial of service] DDoS to hacking, we have decided to take this opportunity to refocus and expedite our planned rewrite of the site,” according to the notice. “Contrary to our original plans, however, we will be launching this v.5 as soon as the minimum essential features are ready.”
The site has in the meantime invited ethical hackers to help find the security vulnerabilities claimed by the attacker in the codebase, along with any other flaws.
Potential Bug-Bounty Program
While MangaDex is for now relying on volunteers to find and rectify security vulnerabilities – the site said these helpers have already identified “a good number” of bugs – a more formal program could be in the offing.
“We are still open to any suggestions or responsible disclosures of vulnerabilities found in the leaked v.3 source code,” according to the notice. “While we have found numerous at time of writing, and have moved to patch most of it, we appreciate all attempts at helping us to find more.”
Further, it said that once the new site is live, it may implement bounties for the finds.
“We sincerely intend to improve upon the security on existing and future infrastructure, and while some of our developers have experience in the security fields, we have decided that having some form of a bug-bounty program for v.5 will only prove to be beneficial to MangaDex,” according to the notice. “As means of backing that, we intend to consider payouts depending on the severity of reported bugs. More details to be released in the near future.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: