Hello,
This may not strictly qualify as a “bug” per se, but I would like to highlight an issue that might need your attention. Specifically, the search functionality currently appears to process the entire content of a thread, including sections marked as hidden. While this design is understandable from a general usability point of view, it introduces a "vulnerability" that can be exploited by automated scripts or bots ( which are common on the forum ).
It is possible for someone to develop a scraper that systematically brute-forces links of hidden content. For instance, consider the scenario where one knows that @IntelBroker, typically uploads files to https://files.waifu.cat. A bot could easily automate the process of querying potential URLs by iterating over characters, like this:
If the next character in the sequence aligns with a valid URL, the SQL query executed by the search function returns a positive match and exposes the corresponding thread link.
To demonstrate, I started with the knowledge that @IntelBroker uploads files to https://files.waifu.cat, and after identifying a thread I had not yet unlocked the hidden data for ( https://breachforums.bf/Thread-SOURCE-CO...ata-Breach ), I began iterating through the characters. It took me approximately six minutes to access the hidden data manually.
Might be you don't find this important, but I hope to get your input on this @Hollow. Thanks in advance!
~~ Zixshore ~~
This may not strictly qualify as a “bug” per se, but I would like to highlight an issue that might need your attention. Specifically, the search functionality currently appears to process the entire content of a thread, including sections marked as hidden. While this design is understandable from a general usability point of view, it introduces a "vulnerability" that can be exploited by automated scripts or bots ( which are common on the forum ).
It is possible for someone to develop a scraper that systematically brute-forces links of hidden content. For instance, consider the scenario where one knows that @IntelBroker, typically uploads files to https://files.waifu.cat. A bot could easily automate the process of querying potential URLs by iterating over characters, like this:
- https://files.waifu.cat/a -> Brings results.
- https://files.waifu.cat/ab -> Doesn't bring results.
- https://files.waifu.cat/ac -> Brings results once again.
If the next character in the sequence aligns with a valid URL, the SQL query executed by the search function returns a positive match and exposes the corresponding thread link.
To demonstrate, I started with the knowledge that @IntelBroker uploads files to https://files.waifu.cat, and after identifying a thread I had not yet unlocked the hidden data for ( https://breachforums.bf/Thread-SOURCE-CO...ata-Breach ), I began iterating through the characters. It took me approximately six minutes to access the hidden data manually.
Might be you don't find this important, but I hope to get your input on this @Hollow. Thanks in advance!
~~ Zixshore ~~
This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Self-Ban | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you wish to be unbanned in the future.
Ban Reason: Self-Ban | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you wish to be unbanned in the future.
