Fixed Security Exploit: Clickjacking

Posted in Announcements
Please login to contribute to the conversation.
On September 14th, 2020 at 11:37am (UTC-4) we were made aware of a potential security exploit. We promptly reviewed our internal systems and resolved the issue at approximately 3:25pm (UTC-4) the same day.

The issue did not affect any Donut Team account, but we are reporting it here for transparency.

What was the exploit?
A misconfiguration in a piece of our server software allowed the Donut Team website to be embeded on to another website. This allowed malicious behaviors such as embedding our login page to another site and putting transparent text boxes over ours to steal usernames and passwords. This is known as Clickjacking.

We did have a secondary piece of protection inside the Donut Team website that would work if your web browser was out of date or if you had a malicious extension or add-on preventing our server from telling your web browser to not allow this behavior, however this additional protection can be avoided by attackers by using certain HTML attributes such as "sandbox" or if the user disables JavaScript in their browser.

We believe the issue originated during migration of the site to a new server.

To our knowledge, this exploit did not impact any Donut Team users, meaning no one's personal details or accounts have been stolen with this method.

Who reported it?
The person who has reported this issue has not given Donut Team the ability to publish their name. As such, we will omit this information unless they ask us to share it.

Additional Information
  • Because this issue does not directly relate to the code powering the website, the website's version number will not increment.

Jake AndreĂžli
Community Director