Author: | lostcarpark | Posted: | Nov 9, 2023 03:06 | Subject: | Re: Update on November 3rd incident | Viewed: | 40 times | Topic: | Administrative | |
|
| Well done on taking decisive action, and getting the site back to normal quickly.
I think getting users to reset passwords is a wise precaution.
I have two suggestions. There have been a lot of posts in this thread, and I
haven't read them all, so these may well have been covered.
1. Add Two-Factor Authentication (2FA). This is not difficult to do these days.
I'd suggest making it an opt-in feature for buyers, and mandatory for sellers.
2. Add explicit measures to protect against Cross Site Request Forgery (CSRF).
This is where your login token gets hijacked, and a fraudulent user continues
a session that has already been logged in. 2FA does not protect against this.
There are various measures that help protect against this, and I don't claim
to be an expert, but it would be a good idea to look into the possible attacks
and ensure that as many as possible are covered off.
|
|
Message is in Reply To: Update on November 3rd incident - Admin_Russell | Dear BrickLink members, Welcome back and thank you for your patience. We were down for longer than anyone would have wanted. Now that we’re back up and running, we can share [...] (7 months ago, Nov 8, 2023, to Administrative) |
Message Has 1 Reply: Re: Update on November 3rd incident - CE_Uday | [...] Thank you for the suggestions! At the moment, BrickLink does not support two-factor authentication. However, we will continue to increase security on our platform and [...] (7 months ago, Nov 9, 2023, to Administrative) |
226 Messages in this Thread. (Message tree supressed because there are more than 50 messages in this thread) show message tree
Entire thread on one page This message and all its replies on one page
|
|