unfortuantly, at 10pm GMT gogs was raided and my account was disabled (see below)
time: 10pm GMT
type: probably XSS or Clickjacking
damage level: high, owner account disabled
work being done: unblocking of account and deletion of repositories with unsuitable names.
we apologize for any inconvenience
-Gogs
PS. if anyone has a grudge against gogs, then say it here
Christ people really love exploiting this lmao, I’ll attempt standard attack methods on the site and if I do find an active exploit, will notify you privately
@random, just edited the title a bit to make it more specific!
And why not start recording IP addresses?
we considered it, but the site safety team has concluded that the hacker could be using a VPN. So there would be no point
thank you
…
i am currently able to access the site logs for yesterday
i would like to inform all of you, that the user that was hacked is confidential, but they were an admin.
this information may be disclosed at a later date
the logs may offer some significance to the exact time it happened, 11PM was when gogs started the server
Okay, so collecting IP addresses is useless, but about rate limiting? Using NPM packages?
Would you guys ever consider adding a recaptcha before users enter the site? Even if that did not prevent the spam, it would slow it down.
@RiversideRocks We’re currently working on that!
That’s great! I was thinking it could be something like Google’s we are sorry page.
@RiversideRocks Let me know if you would like to help us!
Why don’t you add more security? First DDoS attacks and now this? Seems unreliable and insecure to me.
@edwrddd We do have DDOS protection via our custom domain https://gogs.js.org.
We make users sign up and complete a captcha for security
We are as it seems limited by our resources, if you wish to withdraw your account. We can’t stop you
We may be thinking of using npm but the code is written in Go, we can’t have two things running at the same time as too much RAM will get our project suspended
All the staff at ProTech IT solutions and ProTech Web Services apologize for this. Your security is paramount and we have let you down.
We have worked for almost a month trying to protect gogs, but in the end. We have realised that there is a whole community out there who hate gogs and we don’t have the time or resources to continue. We all have lives outside of glitch and we have spent a long time protecting this service.
If anyone has any sort of thing that could fix this, please PM any member of our team. If we choose to close the service we will let you know
Thanks
@random, @J-Tech-Foundation, @Techy, @javaarchive
2 things, put a reverse proxy that sits in front of requests and is basically the middleman. Basically
You: Can I request the log in page
Reverse Proxy: I’ll do it for you
Reverse Proxy -> Origin Server(only reverse proxy knows): some person wants to access the log in page
Origin sends login page
Reverse proxy forwards to original user
I’m gonna see if I can modify my custom reverse proxy to rate limit, ip log.
Next we put cloudflare and set up a firewall using threat AI score and block certain User Agents(it’s easy to bypass but it’s good for starters). Using cloudflare anayltic data we can pinpoint where attacks are coming from
Are there any logs on who logged in and at what time? And there’s no harm in collecting the IP address, sometimes the attacker might not be in a VPN.
these ideas are great, but i must tell you that a hacker has got into our system and made the site NSFW. Avoid gogs at all costs.
thank you
Yeah the project just got banned. I think you may want to talk to support.
no, we changed the name to protect our users
staff at gogs are having a meeting tonight
ah, i see.
Well. @jenn also unlisted our NSFW post in the #the-gallery
Good luck I guess. Sorry about all of the hacks.
its fine, we are still going.
But i have a feeling that gogs won’t last very long
topic: Warning for the glitchers!
I think there should be a status page for Gogs.
@khalby786 Very good idea! Do you think we should use Glitch or an external site?
An external site is what I suggest.
We can use StatusPage.
And PS- this is the last communication we will be posting. We plan to move all gogs stuff to Reddit
fresh status i would suggest
