Manga scanlation giant MangaDex has been temporarily shut down after suffering a cyberattack and having its source code stolen.
MangaDex is one of the largest manga scanlation (scanned translations) sites where visitors can read manga comics online for free. According to SimilarWeb, MangaDex is the 179th most frequently visited site on the web, with over 76 million visitors per month.
After suffering a series of outages since March 17th, MangaDex revealed yesterday that a threat actor had gained access to an admin and developer account, as well as the source code to the site.
According to an announcement now showing on Mangadex.org, a threat actor gained access to the site after stealing an admin user’s session token through a website vulnerability.
“Three days ago (2021-03-17), we correctly identified and reported that a malicious actor had managed to gain access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management.”
“Following that event, we moved to identify the vulnerable section of code and worked to patch it up, also clearing session data globally to thwart further attempts at exploitation through the same method,” MangaDex disclosed on their website.
Using this token, the hacker was able to gain full access to the website and download the site’s source code. The attacker then published the site’s source code on GitHub using the alias ‘holo-gfx.’
While the site audited their code and fixed vulnerabilities, the attacker would taunt the site’s developers with comments when a vulnerability was fixed.
When asked what type of vulnerabilities were fixed, the threat actor stated the first was a “File type confusion” bug, and the second they were keeping secret.
After MangaDex learned that the threat actor still had access to their environment, they announced that they were temporarily shutting down the site while they worked on and launched a more secure ‘v5’ version of the site.
“Due to a recent hacking incident, MangaDex will be down until further notice.
Instead of keeping up a likely vulnerable website and wasting our time and efforts playing cat-and-mouse with constant attacks from DDoS to hacking, we have decided to take this opportunity to refocus and expedite our planned rewrite of the site, called v5. Contrary to our original plans, however, we will be launching this v5 as soon as the minimum essential features are ready.
As developing and maintaining MangaDex is nobody’s actual job, it is difficult to give an accurate estimate as to when we’ll be back up and running. It should go without saying that every one of us wants it to happen as soon as safely possible.
That said, if everything goes as smoothly as we dare to hope, we could be looking at a downtime of just a week or two. Or three.” – MangaDex.
However, the threat actor remains undaunted, stating that there are further RCE vulnerabilities and web shells in place that MagaDev’s code rewrite would protect against. Whether this is true is unknown.
The threat also states that they have dumped the MangaDex database but have not published it anywhere.
Due to the largely unfettered access the threat actor appeared to have on the site, MangaDex stated that all users should assume that their data has been exposed.
“Moving forward however, it is in both our users’ interest and ourselves that we will consider the database breached,” MangaDex warned.
With this in mind, it is advised that all users change their passwords at any other site using the same passwords as MangaDex.
If the database is eventually published, users should be on the lookout for phishing scams conducted by the other threat actors.