fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

MangaDex Manga Site Temporarily Shut Down After Cyberattack

MangaDex Manga Site Temporarily Shut Down After Cyberattack

Manga scanlation giant MangaDex has been temporarily shut down after suffering a cyberattack and having its source code stolen.

MangaDex is one of the largest manga scanlation (scanned translations) sites where visitors can read manga comics online for free. According to SimilarWeb, MangaDex is the 179th most frequently visited site on the web, with over 76 million visitors per month.

After suffering a series of outages since March 17th, MangaDex revealed yesterday that a threat actor had gained access to an admin and developer account, as well as the source code to the site.

According to an announcement now showing on Mangadex.org, a threat actor gained access to the site after stealing an admin user’s session token through a website vulnerability. 

“Three days ago (2021-03-17), we correctly identified and reported that a malicious actor had managed to gain access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management.”

“Following that event, we moved to identify the vulnerable section of code and worked to patch it up, also clearing session data globally to thwart further attempts at exploitation through the same method,” MangaDex disclosed on their website.

Also Read: 3 Reasons Why You Must Take A PDPA Singapore Course

Using this token, the hacker was able to gain full access to the website and download the site’s source code. The attacker then published the site’s source code on GitHub using the alias ‘holo-gfx.’

While the site audited their code and fixed vulnerabilities, the attacker would taunt the site’s developers with comments when a vulnerability was fixed.

Threat actor taunting the MangaDex devs

When asked what type of vulnerabilities were fixed, the threat actor stated the first was a “File type confusion” bug, and the second they were keeping secret.

After MangaDex learned that the threat actor still had access to their environment, they announced that they were temporarily shutting down the site while they worked on and launched a more secure ‘v5’ version of the site.

“Due to a recent hacking incident, MangaDex will be down until further notice.

Instead of keeping up a likely vulnerable website and wasting our time and efforts playing cat-and-mouse with constant attacks from DDoS to hacking, we have decided to take this opportunity to refocus and expedite our planned rewrite of the site, called v5. Contrary to our original plans, however, we will be launching this v5 as soon as the minimum essential features are ready.

As developing and maintaining MangaDex is nobody’s actual job, it is difficult to give an accurate estimate as to when we’ll be back up and running. It should go without saying that every one of us wants it to happen as soon as safely possible.

That said, if everything goes as smoothly as we dare to hope, we could be looking at a downtime of just a week or two. Or three.” – MangaDex.

However, the threat actor remains undaunted, stating that there are further RCE vulnerabilities and web shells in place that MagaDev’s code rewrite would protect against. Whether this is true is unknown.

Holo-Gfx warning of RCE vulnerabilities and web shells

The threat also states that they have dumped the MangaDex database but have not published it anywhere.

Due to the largely unfettered access the threat actor appeared to have on the site, MangaDex stated that all users should assume that their data has been exposed. 

“Moving forward however, it is in both our users’ interest and ourselves that we will consider the database breached,” MangaDex warned.

Also Read: What You Should Know About The Data Protection Obligation Singapore

With this in mind, it is advised that all users change their passwords at any other site using the same passwords as MangaDex.

If the database is eventually published, users should be on the lookout for phishing scams conducted by the other threat actors.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us