At approximately 14:00 Server Time on Friday, March 31 the engineering team was alerted to an individual probing for XSS (Cross-Site Scripting) weaknesses by pasting HTML script tags in various text fields on the site, some player-facing and some only visible to staff. Out of an abundance of caution we put the site into maintenance so we could evaluate the situation.
During the maintenance period, we reviewed the attacker's activity, focusing in particular on what fields the attacker typed script tags into. Then, we reviewed what pages (player-facing and staff-facing) display the contents of those text fields, whether those pages are properly escaping the text in question to prevent XSS vulnerabilities, and whether anyone viewed those pages while they potentially contained text content from this attacker.
Because it is part of our development practices to evaluate all new and revamped/refactored features for XSS vulnerabilities, we could not find issues in player-facing areas such as Forums, Private messages, Clan Info, or Dragon Biographies, or our primary staff-facing tools. We did identify and correct issues in some of our rarely used staff-facing tools that were not used while this attacker was active. Additionally, we identified some extremely old code that had potential issues and corrected them, but these areas are not areas where content entered by the attacker could have been viewed by another player or staff.
While XSS has a broad scope, one of the major concerns in any XSS attack is the potential that session cookies—tokens stored in your browser that "prove" that you are a particular logged-in user—could be stolen by an attacker, allowing them to essentially be "logged in" as you without knowing your password. Our session cookies are all set to use the "HttpOnly" flag which means that scripts categorically cannot access them. Barring vulnerabilities in browsers themselves, we do not believe session cookies were immediately at risk. Nonetheless, we revoked all outstanding staff and volunteer moderator sessions early on in our investigation as a safety measure.
Again, while we do not believe player sessions were at risk for the above reasons, if you wish to revoke all outstanding sessions for your account, including those for browsers/devices other than the one you are currently interacting with the site with, you can change your password either via Account Settings or the Forgot Password feature.
In addition to reviewing our existing code, we also looked into ways to detect and block this sort of behavior proactively. We have made some initial changes in that area and we are going to continue to improve our security posture by adding additional layers of protection, detection and alerting. Please bear with us as some of these changes may introduce minor bugs while we fine-tune things.
In summary, at present we believe this individual was at the stage of probing for vulnerabilities, and we used the maintenance period to review and strengthen our protections against this sort of attack. We do not have reason to believe the attacker accomplished anything of major concern at this point.
If you believe you have found a vulnerability of any kind anywhere on Flight Rising, please disclose it to us privately using Contact Us right away.
Thank you for your patience and understanding.
During the maintenance period, we reviewed the attacker's activity, focusing in particular on what fields the attacker typed script tags into. Then, we reviewed what pages (player-facing and staff-facing) display the contents of those text fields, whether those pages are properly escaping the text in question to prevent XSS vulnerabilities, and whether anyone viewed those pages while they potentially contained text content from this attacker.
Because it is part of our development practices to evaluate all new and revamped/refactored features for XSS vulnerabilities, we could not find issues in player-facing areas such as Forums, Private messages, Clan Info, or Dragon Biographies, or our primary staff-facing tools. We did identify and correct issues in some of our rarely used staff-facing tools that were not used while this attacker was active. Additionally, we identified some extremely old code that had potential issues and corrected them, but these areas are not areas where content entered by the attacker could have been viewed by another player or staff.
While XSS has a broad scope, one of the major concerns in any XSS attack is the potential that session cookies—tokens stored in your browser that "prove" that you are a particular logged-in user—could be stolen by an attacker, allowing them to essentially be "logged in" as you without knowing your password. Our session cookies are all set to use the "HttpOnly" flag which means that scripts categorically cannot access them. Barring vulnerabilities in browsers themselves, we do not believe session cookies were immediately at risk. Nonetheless, we revoked all outstanding staff and volunteer moderator sessions early on in our investigation as a safety measure.
Again, while we do not believe player sessions were at risk for the above reasons, if you wish to revoke all outstanding sessions for your account, including those for browsers/devices other than the one you are currently interacting with the site with, you can change your password either via Account Settings or the Forgot Password feature.
In addition to reviewing our existing code, we also looked into ways to detect and block this sort of behavior proactively. We have made some initial changes in that area and we are going to continue to improve our security posture by adding additional layers of protection, detection and alerting. Please bear with us as some of these changes may introduce minor bugs while we fine-tune things.
In summary, at present we believe this individual was at the stage of probing for vulnerabilities, and we used the maintenance period to review and strengthen our protections against this sort of attack. We do not have reason to believe the attacker accomplished anything of major concern at this point.
If you believe you have found a vulnerability of any kind anywhere on Flight Rising, please disclose it to us privately using Contact Us right away.
Thank you for your patience and understanding.
Flight Rising Engineering Team
Flight Rising Knowledge Base
Flight Rising Rules & Policies
Flight Rising Knowledge Base
Flight Rising Rules & Policies