Summary: Emergency Maintenance

At approximately 14:00 Server Time on Friday, March 31 the engineering team was alerted to an individual probing for XSS (Cross-Site Scripting) weaknesses by pasting HTML script tags in various text fields on the site, some player-facing and some only visible to staff. Out of an abundance of caution we put the site into maintenance so we could evaluate the situation.

During the maintenance period, we reviewed the attacker's activity, focusing in particular on what fields the attacker typed script tags into. Then, we reviewed what pages (player-facing and staff-facing) display the contents of those text fields, whether those pages are properly escaping the text in question to prevent XSS vulnerabilities, and whether anyone viewed those pages while they potentially contained text content from this attacker.

Because it is part of our development practices to evaluate all new and revamped/refactored features for XSS vulnerabilities, we could not find issues in player-facing areas such as Forums, Private messages, Clan Info, or Dragon Biographies, or our primary staff-facing tools. We did identify and correct issues in some of our rarely used staff-facing tools that were not used while this attacker was active. Additionally, we identified some extremely old code that had potential issues and corrected them, but these areas are not areas where content entered by the attacker could have been viewed by another player or staff.

While XSS has a broad scope, one of the major concerns in any XSS attack is the potential that session cookies—tokens stored in your browser that "prove" that you are a particular logged-in user—could be stolen by an attacker, allowing them to essentially be "logged in" as you without knowing your password. Our session cookies are all set to use the "HttpOnly" flag which means that scripts categorically cannot access them. Barring vulnerabilities in browsers themselves, we do not believe session cookies were immediately at risk. Nonetheless, we revoked all outstanding staff and volunteer moderator sessions early on in our investigation as a safety measure.

Again, while we do not believe player sessions were at risk for the above reasons, if you wish to revoke all outstanding sessions for your account, including those for browsers/devices other than the one you are currently interacting with the site with, you can change your password either via Account Settings or the Forgot Passwordfeature.

In addition to reviewing our existing code, we also looked into ways to detect and block this sort of behavior proactively. We have made some initial changes in that area and we are going to continue to improve our security posture by adding additional layers of protection, detection and alerting. Please bear with us as some of these changes may introduce minor bugs while we fine-tune things.

In summary, at present we believe this individual was at the stage of probing for vulnerabilities, and we used the maintenance period to review and strengthen our protections against this sort of attack. We do not have reason to believe the attacker accomplished anything of major concern at this point.

If you believe you have found a vulnerability of any kind anywhere on Flight Rising, please disclose it to us privately using Contact Us right away.

Thank you for your patience and understanding.

i hope the marva cutout is a completely different dragon next year thatd be so funny

this fat dragon friday i present to you: more fandragon content (bc i finally actually hatched her!)

Good evening Flight Rising community

[sits up in bed shaking and sweating] oh my god meditate + eliminate is a perfectly viable build

this is the 50% egg drop post of luck, reblog for 50% drop rate in your chests

when u get egg from chest

Inspired by the debacle with @gimmethemprimals , I humbly offer these free to use banners

FR tumblr is wonderful because it feels like a bunch of goblins seated around a campfire making up stories and passing our blorbos around to one another. Scribbling images on the cave walls, completely oblivious to the world above.

FR tumblr is like a small town where everyone knows each other and crime is somehow still so high

ELECTRIC EEL

Obsidian / Cyan / Cyan

Hey. Dont cry. 82 million dragons in the world ok?

Reblog to prove you had an account on November 22, 2022

WHOOPS

lavender 2073169 / spring 2073172 / primary 2073176

golden 2073180 / royal 2073187

Finally finished Yuu, so here he is as a colourful mess!

Hot take I think okapi would become the ultimate gene if it had a gradient.

Proof: my tundra who I made a skin for to give her gradient okapi