No, this is not a clickbait; it really has gone wrong. I wanted write what happened so consequences of mishandled secrets will be written somewhere.
It was a Discord bot with 33 servers to his credit and a desire to run the bot 24/7 on one of my computers. I haven’t had any knowledge about the source code and I just wanted to execute the current code.
Around 5pm (17h), i was DMed by the developer who tells me that many servers have been “hacked”1 since the I host the bot. Of course, I’m a little bit surprised and started to read the logs. No traces of suspicious connections, no email from Fail2ban. Moreover, I’m not a interesting target for the attackers so I can exclude this hypothesis. Then, I advance on a scary one: the token could have accidentally been uploaded and stolen. The developer answers me that the token couldn’t have been posted because it was hidden. I continued by getting the repository’s URL and accessing it. In there, I found a .gitignore but in the form of a folder. I looked around a bit and oh, surprise! Bot sources.
First of all, for those who do not know: in order to ignore a file or a folder in a repository, you must create a .gitignore file and put in all the things to ignore. A folder will still be versioned even if hidden on a GNU/Linux system.
I then looked at the huge main file and scrolled to the last line. Guess what was there? (Why am I asking you to guess what’s in the file, while you’re reading behind your screen?) Well, I found the almighty token which caused all the troubles.
Personally, I did not appreciate to see the plain text token lost in the main code. In fact, it made me mad to see a token, which equates to a couple identifier/password (credentials), hard-coded and in plain text. Many unpleasant things happened, including a videomaker who took the opportunity to make a video to throw her ~3k sub’ against an innocent person who did nothing. I did not see the first video at all. Given the opinions that came back, it was mostly negative with charges launched without obvious evidence. On the crowd side, we do know only one thing: many servers have been destroyed.
I wrote an announcement as quickly as I could with my fingers, trying to give a start of an explanation to the public. Then, a lot of oral explanations. DURING FOUR FUCKING HOURS TO EXPLAIN TO ALL GUYS WHEN YOU’RE STOPPED EACH TWO WORDS! Uhhgrrrr…. That wasn’t pleasant at all, mostly when nobody is really listening to you, stops you each two words and never gives you time to clearly explain. I admit we ended doing a video in order to explain, instead of trying to be heard.
Consequences of this incident
Here, I approach the sensitive part and I may be salty. You have been warned. Compared to mood swings and all things like that, that touched implicated people, around destroyed 30 servers, is. Nothing. Yeah, you read right: this is nothing compared to harm did to people concerned. 30 servers is nothing compared to damages provoked by the off-the-guidelines who constituated a lot of raid servers that we don’t want to hear about. Or that we hear from time to time via friendly people bawling some cobblestones filled with faults. (was sarcastic, of course).
Before starting to send me emails and writing me words filled with hate and/or howls, imagine just a second that your bot has accidentally destroyed around 30 servers. This is uncomfortable. But, moreover, you’re being attacked in DMs by many other persons, who know nothing or too few informations about what happened. But, not smalls attacks. Messages filled of insults, hate and personal attacks. Would you feel good? The answer seems obvious, and I let you answer it. Now, imagine this with 94 destroyed servers because I messed up with the token. It would surprise me, but after all, I can fuck up on something like that too.
For me, it made me mad with extra spice when I’ve been stopped in my reasoning each two seconds by persons who often (sorry for the expression) did not gave a fuck about what i was saying.
What you have to remember about this mess
First of all, correctly manage your secrets in your programmes. Please, never write an API token in the main code, plain text and clearly visible. And if you commit and upload it on a server accidentally, revoke the token. Then, when you have a mess like that, do not start to insult the whole world and do everything against involved persons. You should rather wait that people come to explain what happened in details. It permits to avoid misunderstandings that can happen.
Hacked: A word that many members misuse to describe what the word implies. It’s not the most appropriated word, but eh. Let’s move on. ↩