lsmll's blog

By lsmll, history, 6 years ago, In English

Hello, Codeforces.

Today, my friend and teammate jiangshibiao was going to register for the round, but discovered that his Codeforces account was hacked and the avatar as well as the password has been changed. The email could be changed too, but he is unsure right now. I looked at the avatar and immediately noticed it was the same as [user:[user:im0qianqian],2018-08-27]'s avatar, who made a blog post about his account being hacked too.

I think probably the same hacker did it, and there may be more victims. So I would like to invite MikeMirzayanov to look into the issue and possibly help my friend get his account back. Also, I would advise users who have weak passwords to change the password immediately.

Also, jiangshibiao and me are onsite at Petrozavodsk Camp right now, so maybe someone can meet him in person if needed to verify his identify.

UPD Aug. 29:

The hacker sent me a message in Chinese with the account of im0qianqian claiming that he changed the password and the email back. Then im0qianqian sent me another message saying that he got his account back and the previous message wasn't sent by him. Unfortunately, my friend jiangshibiao tried the original password but it still does not work, and he forgot what email address was used when registering his account. Therefore he is still locked out of his account. Any help from Codeforces administration is still greatly appreciated.

UPD2: Apparently the hacker did not really change the password and email back, as the "last visit" of jiangshibiao is two days ago.

English translation of the message

UPD Aug. 31:

The hacker changed the email back and my friend got back his account. Thanks everyone who replied in the post.

  • Vote: I like it
  • +125
  • Vote: I do not like it

| Write comment?
»
6 years ago, # |
Rev. 5   Vote: I like it +10 Vote: I do not like it

Is it someone who discovered a vulnerability in Codeforces? Or is your friend's password too simple?

Not only do we need to use strong passwords, but it's also a good idea to enable https in the settings.

Anyway, I hope we can take back our account.

  • »
    »
    6 years ago, # ^ |
    Rev. 2   Vote: I like it 0 Vote: I do not like it

    How do you manage to still have access to your account? You said in your post that your account has not been logged out, but apparently changing the password will logout all sessions (at least this is what the system says when you change it).

    • »
      »
      »
      6 years ago, # ^ |
        Vote: I like it 0 Vote: I do not like it

      I don't know the rules set by the system. In short, after my password is changed, my account is not automatically logged out. Unfortunately, if I can't get back my account as soon as possible, I can only continue to use it for 30 days.

    • »
      »
      »
      6 years ago, # ^ |
      Rev. 2   Vote: I like it +19 Vote: I do not like it

      Just tried to change the password, it really logs you out from the other sessions. To overcome this, a hacker might change the password using a vulnerability on Codeforces, not using the standard means.

    • »
      »
      »
      6 years ago, # ^ |
      Rev. 2   Vote: I like it +5 Vote: I do not like it

      Just thought of the alternative idea why this happened. If a hacker used MitM attack and stole the session cookie, the legitimate user and the hacker share the same session, so changing the password won't log them out.

      • »
        »
        »
        »
        6 years ago, # ^ |
          Vote: I like it 0 Vote: I do not like it

        X.509 certificate can tell if any other person also has the same certificate

»
6 years ago, # |
Rev. 2   Vote: I like it +139 Vote: I do not like it

first benefit to be grey, don't give a damn about your account

  • »
    »
    6 years ago, # ^ |
      Vote: I like it +8 Vote: I do not like it

    There is more to Codeforces than rating. (contribution)

»
6 years ago, # |
  Vote: I like it 0 Vote: I do not like it

The chances of successfully guessing an 8-character truly random password are one in 500 trillion.No one can bruteforce attack this many times as the website will consider it as DDOS.Many a times shoulder surfing is also the reason for attack.

if there is some vulnerability then why only these 2 accounts. want to know how exactly you people came to know your accounts were hacked i.e some random comments,submissions,name change,location change etc because one doesn't have a random dream that let's try changing email and password.

  • »
    »
    6 years ago, # ^ |
    Rev. 4   Vote: I like it +13 Vote: I do not like it

    My friend found it simply because he couldn't login today to register for the round (he hasn't visited Codeforces for some time). Also the number of victims could be higher, there may be more hacked accounts that haven't been discovered yet. Shoulder surfing is unlikely, because the users of the two hacked accounts don't live the in same place.

    The two hacked accounts are both from China, so one possibility is that they used the same password here and on some Chinese websites, and that Chinese website leaked the password. But that doesn't explain why im0qianqian was not logged out if the password is changed using standard means.

    • »
      »
      »
      6 years ago, # ^ |
        Vote: I like it 0 Vote: I do not like it

      might be those "chinese websites" stored passwords in plain text.

      • »
        »
        »
        »
        6 years ago, # ^ |
          Vote: I like it -41 Vote: I do not like it

        Why did you put "chinese websites" in quote marks? :D

        Do you not think they are really websites?

        • »
          »
          »
          »
          »
          6 years ago, # ^ |
            Vote: I like it 0 Vote: I do not like it

          Quotation marks, for quoting the above comment.

        • »
          »
          »
          »
          »
          6 years ago, # ^ |
            Vote: I like it 0 Vote: I do not like it

          no offence but little humour is good. i just meant if it's literally password database leak then those websites are not good according to security protocols,i mean who stores plain text and why those websites will user info(as there's no monetary profit in it as of now).

»
6 years ago, # |
  Vote: I like it +5 Vote: I do not like it

I don't know if this is related, but I woke up today and noticed that one of my talks was gone. Someone had sent a message to me and I replied. The original message he sent was deleted.

I see no obvious button that would allow you to delete talks. Maybe this also has something to do with the security of codeforces.

»
6 years ago, # |
  Vote: I like it +127 Vote: I do not like it

The reason why MikeMirzayanov isn't responding is because his account might've also been hacked. It's going to be the end of CF. Let's enjoy it while it lasts.

»
6 years ago, # |
Rev. 4   Vote: I like it +29 Vote: I do not like it

My account has the backing of the CIA, FBI, WAIFU, and the Navy Seals. There is no way the hacker can penetrate the defenses of AMERICA, the finest country in the world. To the coward who's been going around hacking, you have made yourself an enemy of POLICE of the WORLD and the HARBINGER of JUSTICE, AMERICA. I will personally draw you out from Codeforces like poison is drawn from a wound.

»
6 years ago, # |
Rev. 2   Vote: I like it +11 Vote: I do not like it

Your approach is wrong. 'jiangshibiao and me are onsite at Petrozavodsk Camp right now' implies that they were 'hacked' using MITM, since they used CF via HTTP instead of HTTPS. Your 'hacker' is probably onsite at Petrozavodsk Camp right now, hidden, waiting for more accounts.. So as long as you use https://codeforces.me/, or a trusted network, you should be safe.

  • »
    »
    6 years ago, # ^ |
    Rev. 2   Vote: I like it +5 Vote: I do not like it

    No, we are the only Chinese team there, and the hacker used Chinese to send message to me (see the update). Also, another student from my university said he saw the avatar changed before we went to Petrozavodsk.

»
6 years ago, # |
  Vote: I like it 0 Vote: I do not like it

Auto comment: topic has been updated by lsmll (previous revision, new revision, compare).

  • »
    »
    6 years ago, # ^ |
      Vote: I like it +8 Vote: I do not like it

    Tell me what jiangshibiao's mailbox is, then I can change it back.

»
6 years ago, # |
  Vote: I like it 0 Vote: I do not like it

Is this guy also hacked? Profile pic is the same thing

http://codeforces.me/profile/hashlib

»
6 years ago, # |
  Vote: I like it 0 Vote: I do not like it

Use LastPass (or something similar), people. It's never too late to get secure.

»
6 years ago, # |
  Vote: I like it +8 Vote: I do not like it

Tell me what jiangshibiao's mailbox is, then I can change it back.

  • »
    »
    6 years ago, # ^ |
      Vote: I like it +8 Vote: I do not like it

    I sent you a message.

  • »
    »
    6 years ago, # ^ |
      Vote: I like it +9 Vote: I do not like it

    Got my account back (*^▽^*). I have been annoyed and anxious for a long time, because this account is really important to me. But I still want to thank you, for you have given me a lesson about the importance of account safety.