Due to a recent hacking incident, MangaDex will be down until further notice.
Instead of keeping up a likely vulnerable website and wasting our time and efforts playing cat-and-mouse with constant attacks from DDoS to hacking, we have decided to take this opportunity to refocus and expedite our planned rewrite of the site, called v5. Contrary to our original plans, however, we will be launching this v5 as soon as the minimum essential features are ready.
As developing and maintaining MangaDex is nobody’s actual job, it is difficult to give an accurate estimate as to when we’ll be back up and running. It should go without saying that every one of us wants it to happen as soon as safely possible.
That said, if everything goes as smoothly as we dare to hope, we could be looking at a downtime of just a week or two. Or three.
For up-to-date news about our progress, please follow us on Twitter.
In the meantime, please take the time to read this full write-up of what happened, what our options for plans of action were, how the data breach may have affected you, and how you may be able to help by disclosing vulnerabilities.
All timings are in UTC time.
1. A brief recap:
Three days ago (2021-03-17), we correctly identified and reported that a malicious actor had managed to gain access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management. Following that event, we moved to identify the vulnerable section of code and worked to patch it up, also clearing session data globally to thwart further attempts at exploitation through the same method.
After the breach, we started spending many hours reviewing the code for possible further vulnerabilities, and started to patch what we could find to the best of our capabilities. This ran parallel to us opening the site after the breach, as we had incorrectly assumed that the attacker would not be able to gain further access. However, as a precaution, we had started rolling out monitoring of our infrastructure and had remained vigilant in the event the attacker returned.
2. Why did we go down again?
At 2021-03-20 01:52:48, the attacker had managed to access the account of one of our developers who had been previously offline for four days. However, this time around we noticed this immediately and shut the site down at 01:53:40 to investigate further.
At 2021-03-20 02:10, the attacker had sent an email out to the first ten users with the message body, “MangaDex has a DB leak. I suggest you tell their staff about it.” abandoning any pretenses of ransom. Moving forward, while we have no clear evidence that a database breach had happened, for best security practices, we will assume it has happened.
At 2021-03-20 03:41, the attacker had updated the git repository containing the source code leak, claiming that we had successfully patched two out of three possible CVEs. Without any way to confirm the claims, we assumed the worst case scenario and kept the site down to further investigate.
3. What have we done since then?
As of writing, we have invited numerous volunteers to assist our developers with identifying the last possible CVE claimed by the attacker in the codebase. Thanks to our volunteers, we have identified a good number of potential security flaws and moved to rectify them. However, at time of writing, we have still yet to identify the last possible CVE claimed by the attacker.
With that knowledge in mind, we were confronted with a difficult decision. If we had assumed incorrectly that the web code is now secure, we could end up being compromised again by the attacker. As a result of that, in good conscience, we could not possibly re-open the website to users presently.
Lastly, our staff consists of volunteers. Volunteers with real life commitments and duties that do not earn a single cent from volunteering for MangaDex. While we aim to provide the best service we can to you, the repeated attacks were starting to take a toll on us all, having to repeatedly scan through thousands of lines of code trying to find a figurative needle in a haystack. We have evaluated our choices on hand and have decided this is unsustainable to both our users, and ourselves.
4. What are we planning to do now?
We have decided that option (e) would be the best approach, as it strikes a good balance between downtime and working to bring the site back up in a usable and (most importantly) secure state.
5. Data Breach & You
While we have numerous signs that the attacker had access to information not typically visible from the context of a normal user, we have not been able to confirm a full host compromised, or an up-to-date database breach. We intend to continue to keep a close eye on both and aim to update as we investigate and discover further. Moving forward however, it is in both our users’ interest and ourselves that we will consider the database breached.
As a user, we will encourage that you would assume that your data has been breached, and take precautions immediately, such as changing the passwords of any accounts that might share the same password as your MangaDex account. As a generally good security practice, password managers are highly recommended to keep your online identity secure.
In the meantime, we are still open to any suggestions or responsible disclosures of vulnerabilities found in the leaked v3 source code. While we have found numerous at time of writing, and have moved to patch most of it, we appreciate all attempts at helping us to find more. For more information, or for disclosures, please kindly approach a staff member on our Discord.
7. Bug Bounties
Moving forward from this incident, we sincerely intend to improve upon the security on existing and future infrastructure, and while some of our developers have experience in the security fields, we have decided that having some form of a bug bounty program for v5 will only prove to be beneficial to MangaDex. As means of backing that, we intend to consider payouts depending on the severity of reported bugs. More details to be released in the near future.