https://paste.laravel.io/ got hacked

Question

https://paste.laravel.io/ got hacked

Closed this issue 8 years ago · 4 comments

Hi,

I just used paste.laravel.io and got redirected to this paste after saving, forking my own paste, and saving again :

https://paste.laravel.io/bkzXL

Tried it on a Windows 10 machine with Chrome, and Debian + Firefox on a VM.
Got redirected once, each time. But once it showed up, it didn't do it anymore.

Answer 1 · 2017-08-25T20:44:43.000Z

I would check your debian server configurations first. I have been running it for some time now. I have yet to find any glaring issues with its security that would allow hackers to run rampant in my system.

Answer 2 · 2017-08-25T21:42:00.000Z

I don't host the script myself, I mean https://paste.laravel.io/ has been hacked

Here is a video of it happening live : https://puu.sh/xjvQN/e2cfcbed7e.mp4

I can't make it any clearer :(

Answer 3 · 2017-08-26T19:30:09.000Z

So what happened is that there's a race condition where double hashes are created for pastes so you were redirected to an older paste with the same hash. I'll implement a fix so this won't happen again.

I've deleted above paste. Please remember that all pasted content is publically available as said in the sidebar.

No-one got hacked but thanks for reporting this!

Answer 4 · 2017-08-26T21:31:46.000Z

I've replaced the hashids with UUIDs. Longer but ensures they're always unique. Removed all older duplicate records and added a unique index on the hash column.