
Project Euler Humble Return - nemesisrobot
https://projecteuler.net/news
======
daguava
You can list what problems you've solved by showing an image generated for
you.

Ex)
[https://projecteuler.net/profile/daguava.png](https://projecteuler.net/profile/daguava.png)

But you can also use this to quickly test the status of accounts.

For example, I was able to find Euler is an admin account by trying

[https://projecteuler.net/profile/euler.png](https://projecteuler.net/profile/euler.png)

It tells you it's admin in the image, why?

Edit: Wonder if they're exposing some vulnerability with the HTTP 300 Multiple
Files they're returning.

If you try something like this:
[https://projecteuler.net/profile/.wat](https://projecteuler.net/profile/.wat)

the page confirms a .htaccess file exists at
[https://projecteuler.net/profile/.htaccess](https://projecteuler.net/profile/.htaccess)
we also find one at
[https://projecteuler.net/.htaccess](https://projecteuler.net/.htaccess)

While currently inaccessible, this is significant information leak

All directories allow this, so you can do some digging to find what files
exist.

Edit 2:while logged in, you can enumerate all usernames with a skill level
attached by using URLs like

[https://projecteuler.net/level=1](https://projecteuler.net/level=1)

If you try changing the level to a period, the page conveniently tells you
there are over 118k users in total (listing the first 10k), and MAY even show
accounts without levels, but I'm not sure.

Combine this with the profile image URLs above and you may be able to find
more admin account usernames if they have levels associated with them.

~~~
mhink
So basically, by telling us this, you're completely contravening the request
they made that security vulnerabilities be disclosed privately?

Kind of a jerk move.

~~~
daguava
While I am kind of a jerk, I haven't made a vulnerability of it yet, just an
info leak that may help someone here complete the puzzle.

~~~
rnovak
I think you're confusing "exploit" and vulnerability. An info leak _is_ a
vulnerability. Period.

And yes. You completely went around their request, and made this info public
without their consent.

Actions like this are _THE_ reason the relationship between vendors and
security researchers is strained.

There's a _SPECIFIC_ reason it's considered common courtesy to wait until a
vulnerability is patched before public disclosure.

IANAL, but you also violated their ToS by doing this, and if you did this to a
site I owned, _especially_ without my consent, I'd be very motivated to
contact the proper authorities and pursue civil remedies.

~~~
ChristianBundy
_> if you did this to a site I owned, especially without my consent, I'd be
very motivated to contact the proper authorities and pursue civil remedies._

Actions like this are _THE_ reason the relationship between vendors and
security researchers is strained.

~~~
branchless
Good grief, Americans and threatening to sue anything that moves.

~~~
rnovak
First of all, how do you even know I'm an American? Nothing in my post, my
bio, or anything mentions that, so that's quite a sweeping generalization, and
baseless assumption.

Secondly, why are "non-americans" cool with breaking other peoples shit
without permission?

------
aikah
Open source that site. Vet a few devs to have access to the source to begin
with then opensource it. Or even better, let the community rewrite the source
from scratch. How hard can it be? and there are often a lot of people willing
to contribute to open-source projects.

~~~
tsukikage
"How hard can it be?" <\--- yeah, that's how you end up with vulnerable sites.

~~~
jdiez17
Not if you make security your number one goal from the beginning. But "letting
the community rewrite the site" would be very complicated, especially on a
niche website such as Project Euler, where a lot of its users are opinionated
and would probably take a long time to reach consensus on anything.

~~~
hn9780470248775
If security were really your "number one goal", then you would not create a
site at all.

~~~
jeeva
Number two after availability, then.

------
mindcrime
OK, well, here's an initial observation:

1\. Your login page leaks information, as it returns "username not found" if
you enter an invalid username. This is a bad idea. Better to simply say "login
failed" in any case. Now, thanks to a few minutes of playing around, I have a
fairly good idea that "admin" is a valid username on projecteuler.net. For the
sake of argument, let's assume that's a real account, and actually has some
administrative access... that's a bad idea. "Security through obscurity" is
oft derided, but no sense making it easy for the bad guys. Make your admin
username "flummoxedrabbit" or something that nobody bothers trying. As it is,
I'm hoping this "admin" account is a dummy or a honeypot or something, but if
it isn't, I definitely encourage you to change that and quit leaking username
validity information.

2\. From the limited testing I did, it doesn't appear that you limit the
number of failed login attempts. Or if you do, the login limit is awfully
high. I tried logging in 10 times and as far as I can tell, I could have kept
going. If there really is no limit, it's probably not that hard to brute force
your password. There are plenty of scripts and browser plugins to sit there
and try to login repeatedly, trying to brute force forms like that.

3\. In addition to limiting the number of login attempts, it's possibly a good
idea to add a steadily increasing delay before accepting another login try
from the same IP address, after each failed login. This will slow down at
least some attempts to brute force your password.

4\. You could consider some sort of Multi-Factor Authentication setup.

5\. You could also consider adding code to do something similar to what
fail2ban does, and automatically block connections from an IP where more than
_X_ failed logins originate in some period of time.

~~~
function_seven
Regarding #1, telling the user that their login failed doesn't eliminate their
ability to enumerate existing usernames. All they have to do instead is
attempt to register a new account with the username they're testing. At some
point, the site will have to tell them that the username already exists.

#2-#5 are all good points, though, and would help prevent username enumeration
as well.

~~~
mindcrime
_Regarding #1, telling the user that their login failed doesn 't eliminate
their ability to enumerate existing usernames. All they have to do instead is
attempt to register a new account with the username they're testing. At some
point, the site will have to tell them that the username already exists._

Agreed, but I would lean towards giving the bad guys as few tools as possible.
If you require a captcha to register, and if you limit the number of
registration attempts, you can also cut down on that channel.

That's not to say that this stuff is the be all / end all of course. It would
probably be better to eliminate username/password combos altogether and do
everything with keypairs, but until that day comes...

~~~
shkkmo
Except you aren't really limiting the tools available to the bad guys, you are
just making the UX worse. I find this 'best practice' annoying design and
doubt that it has mitigated any attacks.

------
dyoo1979
It would be nice if source were provided, so that we can do a whitebox
analysis. I don't have confidence that there is one single point of failure
here, given that the site has already been compromised multiple times.

~~~
mmanfrin
Especially since PE is such a technically simple site. It's login/logout,
listing of problems, and confirmation/logging of problem success. It's simpler
than the apps that beginning web framework tutorials show how to make.

~~~
giancarlostoro
We see lots of projects on HN that get open sourced. It's surprising nobody
has made one yet. I've even seen clones to HackerNews open sourced here.

------
trengrj
Part of me learning to code was by going through the challenges on Project
Euler and I always get a sense of nostalgia when reading about it.

It is a pity it keeps getting hacked. I think that the site owners are more
interested in algorithms and mathematics than mundane engineering. It would
probably be a good idea to open source the site.

~~~
codyb
I can't imagine the rationale for hacking projecteuler in the first place.
Always a favorite place of mine as well and I still bring newbies to the scene
there when I attempt to show them the basics of programming. I guess there's
just an asshole for everything when you have hundreds of millions of people
online these days. Sucks a bit doesn't it?

------
klekticist
Despite the whole situation being rather embarrassing, it seems like they're
handling this quite well. Whitehat to the rescue!

------
edem
I don't get it why someone would hack project euler.

~~~
austenallred
[http://www.hackthissite.org/](http://www.hackthissite.org/) lists "hack
project euler" as the final challenge

~~~
elektromekatron
For some reason, I have little desire to follow that link.

~~~
phragg
Do you know who Jeremy Hammond is?

~~~
kachnuv_ocasek
Is that the guy from Top Gear?

------
brokentone
The ultimate project euler challenge!

------
aesthetics1
Cue thousands of determined hackers descending on Project Euler! It would be
great if the community could find the exploit and save the site.

~~~
Zikes
Finding _an_ exploit doesn't necessarily mean they've found _the_ exploit,
unfortunately.

------
kelukelugames
I can't wait for someone to figure out the exploit. Very excited. Go
crowdsourcing!

------
Houshalter
I am unable to login to my account, so I'm not able to test this. But if I
remember correctly this site used a poor captcha. There has been a lot of
advancement at captcha breaking software in recent years. If they used some
kind of custom captcha to prevent password guessing, then it's not extremely
secure.

------
sfrank2147
Does anyone know how Project Euler was storing the passwords?

~~~
krapp

        Usernames cannot contain more than 32 characters 
        and they may only contain upper/lower case
        alphanumeric characters (A-Z, a-z, 0-9), dot (.), 
        hyphen (-), and underscore (_). 
        Passwords must contain between 8 and 32 characters.
    

My money is on "ineptly."

~~~
terminado
There's really not much rational for capping passwords at anything beneath 256
characters.

256 characters makes for a fairly sizable passphrase, and doesn't represent a
substantial hit on storage space. In reality, even if they were stored as
encrypted binary/base64 in a nosql file system of structured data files, 4096
is pretty much the de-facto floor for disk space occupied by non-zero-byte
individual files on most modern file systems.

...variable data size being a concern in cases where the transformed value is
encrypted rather than hashed.

~~~
gherkin0
> 256 characters makes for a fairly sizable passphrase, and doesn't represent
> a substantial hit on storage space.

They shouldn't be storing passwords at all so storage space should be a non-
issue. My 20 meg password should hash down to the same small(er) value as your
15 character one.

~~~
a_t48
When there will be multiple shorter passwords that hash to the same value, is
there a point to a 20mb pass?

~~~
elektromekatron
Depends. Can you guess them?

~~~
a_t48
If I'm an attacker who is running through hashes...yes. Faster than the 20mb
one.

------
logicrime
Haven't they been wrecked once before this most recent incident?

I find it concerning that folks are so eager to rush back into a warzone when
they know it's not safe. Piling onto a recovering website after a cyberattack
is akin to running back into a field where landmines were found. Maybe
somebody was able to remove a landmine or two, but wouldn't it be wiser to
just walk around it?

~~~
lukev
Except that as long as you use a unique password, and don't give any details
that you don't mind falling into the wrong hands, there is absolutely _no
risk_.

Unlike, for example, actual mines.

~~~
ghshephard
There is a lot of risk going to a compromised website. You are basically
inputting potential malware onto your computer, and, if there are zero-days
present on your system, handing control of your computer over to a malware
author.

~~~
teach
Yes, I'm pretty worried about browsing a website with no ads using Chrome on
my Linux machine with uBlock origin and Flash disabled.

I think I take greater risks going for a walk in the evening.

~~~
ghshephard
A random website? Absolutely, 99.999% of the Web is safe. But we're talking
about a site which is specifically compromised with malware.

With that said - "Linux" is safe by being such a tiny population of the
community that browser malware generally isn't written for it. In general, I
take it as a given that people have deleted/disabled flash and java plugins a
long, long time ago.

~~~
jlarocco
> A random website? Absolutely, 99.999% of the Web is safe. But we're talking
> about a site which is specifically compromised with malware.

Well, we don't know that, actually. The info given on the PE site say that the
attacker gained access to the server and modified the database. Do you have
proof that it's serving up malware to visitors?

In any case, it's an odd situation and an odd response from Project Euler. It
doesn't seem like a complicated enough site to get hacked in a mysterious
undetermined way.

------
kiba
I checked the license. It appears that the content is licensed under creative
common attribution non-commercial.

I haven't found any indication that the website behind Project Euler is open
source or follow open source development processes.

~~~
mathetic
So?

~~~
Retr0spectrum
So, it's much harder for the community to find and report security bugs.

------
zajd
It's a shame the maintainer of the site is going to let it fall into obscurity
instead of just adopting more modern development practices.

edit. Such as allowing people to audit the source of the site as opposed to
requesting pentesting.

~~~
dang
Please don't post backhanded swipes like this, or outright insults like "This
guy is a moron." [1] The idea on HN is to comment civilly and substantively
[2], or not at all.

1\.
[https://news.ycombinator.com/item?id=10023513](https://news.ycombinator.com/item?id=10023513)

2\.
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
zajd
Fair enough, just frustrated with the overwhelming number of "the modern
internet is broken!!" posts that have been clogging up the front page lately.
That also happened to be one particularly light on content.

~~~
elektromekatron
the modern internet _is_ broken

(not to mention interfaces, languages, security, identity, manufacture,
physics and pop-tarts)

and if you get upset at people pointing out how much nicer things could be,
then things probably wont

~~~
zajd
Again, I understand there are issues with the modern internet, but that
article was unironically calling for the return of geocities. It's a
hyperbolic clickbait title that has no place in a reasonable discussion about
the actual issues that we're dealing with. Beyond that, I even quoted the
passage I took issue with.

> In 2015, becoming a Web developer is all about learning Ruby or figuring out
> Node.js, not just building cool things you like.

This is patently wrong. Maybe it was harsh to call him a moron but the content
was very weak in that particular piece.

------
goldenkey
Why is project euler not on github? Yeah..no one's gonna help unless you open-
source your project buddy.

~~~
dang
That's not nice. It's also plainly false. Lots of people love Project Euler.

~~~
edem
Like me. And I would like to help but I know almost nothing about penetration
testing. :(

~~~
goldenkey
Exactly. Source code would help a lot. It's an education site that's extremely
amateur in nature. It belongs as open source.

