Ex) https://projecteuler.net/profile/daguava.png
But you can also use this to quickly test the status of accounts.
For example, I was able to find Euler is an admin account by trying
https://projecteuler.net/profile/euler.png
It tells you it's admin in the image, why?
Edit: Wonder if they're exposing some vulnerability with the HTTP 300 Multiple Files they're returning.
If you try something like this: https://projecteuler.net/profile/.wat
the page confirms a .htaccess file exists at https://projecteuler.net/profile/.htaccess we also find one at https://projecteuler.net/.htaccess
While currently inaccessible, this is significant information leak
All directories allow this, so you can do some digging to find what files exist.
Edit 2:while logged in, you can enumerate all usernames with a skill level attached by using URLs like
https://projecteuler.net/level=1
If you try changing the level to a period, the page conveniently tells you there are over 118k users in total (listing the first 10k), and MAY even show accounts without levels, but I'm not sure.
Combine this with the profile image URLs above and you may be able to find more admin account usernames if they have levels associated with them.
Kind of a jerk move.
https://projecteuler.net/level=19
Look for the gold stars
1. Your login page leaks information, as it returns "username not found" if you enter an invalid username. This is a bad idea. Better to simply say "login failed" in any case. Now, thanks to a few minutes of playing around, I have a fairly good idea that "admin" is a valid username on projecteuler.net. For the sake of argument, let's assume that's a real account, and actually has some administrative access... that's a bad idea. "Security through obscurity" is oft derided, but no sense making it easy for the bad guys. Make your admin username "flummoxedrabbit" or something that nobody bothers trying. As it is, I'm hoping this "admin" account is a dummy or a honeypot or something, but if it isn't, I definitely encourage you to change that and quit leaking username validity information.
2. From the limited testing I did, it doesn't appear that you limit the number of failed login attempts. Or if you do, the login limit is awfully high. I tried logging in 10 times and as far as I can tell, I could have kept going. If there really is no limit, it's probably not that hard to brute force your password. There are plenty of scripts and browser plugins to sit there and try to login repeatedly, trying to brute force forms like that.
3. In addition to limiting the number of login attempts, it's possibly a good idea to add a steadily increasing delay before accepting another login try from the same IP address, after each failed login. This will slow down at least some attempts to brute force your password.
4. You could consider some sort of Multi-Factor Authentication setup.
5. You could also consider adding code to do something similar to what fail2ban does, and automatically block connections from an IP where more than X failed logins originate in some period of time.
#2-#5 are all good points, though, and would help prevent username enumeration as well.
Agreed, but I would lean towards giving the bad guys as few tools as possible. If you require a captcha to register, and if you limit the number of registration attempts, you can also cut down on that channel.
That's not to say that this stuff is the be all / end all of course. It would probably be better to eliminate username/password combos altogether and do everything with keypairs, but until that day comes...
Unfortunately, the alternatives are unthinkable for everyone who isn't a programmer.
It is a pity it keeps getting hacked. I think that the site owners are more interested in algorithms and mathematics than mundane engineering. It would probably be a good idea to open source the site.
...Hack This Site is a free, safe and legal training ground...
Usernames cannot contain more than 32 characters
and they may only contain upper/lower case
alphanumeric characters (A-Z, a-z, 0-9), dot (.),
hyphen (-), and underscore (_).
Passwords must contain between 8 and 32 characters.
256 characters makes for a fairly sizable passphrase, and doesn't represent a substantial hit on storage space. In reality, even if they were stored as encrypted binary/base64 in a nosql file system of structured data files, 4096 is pretty much the de-facto floor for disk space occupied by non-zero-byte individual files on most modern file systems.
...variable data size being a concern in cases where the transformed value is encrypted rather than hashed.
I took that to mean that prior to being pwnd they had been storing passwords cleartext and would no longer be doing so.
Also, the wording about allowed special characters seems to be incorrect. I personally have a non ./-/_ special character in mine. Unless they are doing something terribad like silently discarding noncompliant parts of the password.
Re: password length - at least 32 characters is respectable. I believe last time I used outlook.com they had a max length of 12-16!
I find it concerning that folks are so eager to rush back into a warzone when they know it's not safe. Piling onto a recovering website after a cyberattack is akin to running back into a field where landmines were found. Maybe somebody was able to remove a landmine or two, but wouldn't it be wiser to just walk around it?
Unlike, for example, actual mines.
It's taken blood, sweat and tears to save up 20k (a lot for me) and even though I have a secure authentication scheme for the website, I worry about it getting hacked all the time.
"...there is absolutely no risk"
You have no idea! There's little practical risk in people getting access to my (fictional) ProjectEuler account, but there is absolutely some risk into returning to the same scam twice. Say they exploit PE again and are able to extract more than just password and email, maybe they find a way to get more info about the user's browser, or cookies, or SOMETHING. Anybody foolish enough to continue to navigate to projecteuler.net will suffer the consequences. They'd be better off never returning.
I know the response to this will be, "Oh, you can't possibly expect people to just abandon services that are compromised once" but I absolutely don't expect people to do that. I do it, because my security is worth it to me. Others don't, and this is the sort of thing that happens.
We've no way to really isolate what happened to projecteuler, and no way to now what kind of nasty code got injected into the pages.
I haven't found any indication that the website behind Project Euler is open source or follow open source development processes.
edit. Such as allowing people to audit the source of the site as opposed to requesting pentesting.
Comments like this (sometimes) go half-way. If there's a point behind it, enumerate the ways you think would improve his practices.
Also:
Github Presence != Open Source
Open Source != requirement in asking for help/advice
As such we can only trust that the people running the site are taking due notice and patching it correctly -- which, (I hate to say) given Project Euler's track record in the last year or so...