First  Prev  1  2  Next  Last
Post Reply Crunchyroll's recent failure
8032 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/4/17 , edited 11/28/17
Until Crunchyroll defaults to an HTTPS site, you're still asking for problems. I'm not the one that hacked you, but I've been telling you about these problems for over a year now and you've done nothing to fix them. Congrats on your recent failure.
I've told you about sending and storing user credentials in plaintext, about your use of Adobe Flash, about so many problems that you all just copy-paste answers to instead of FIXING them for over a year now!
Someone comes along and hacks your site to put all of us at risk and you're all like, "Oops, we had no idea."

Congratulations on your recent failure. It's not your first and hardly your last.

PS -- Using NGinx 1.10.3 is only almost a year old. Too bad they're at 1.13.6 now. Please tell me that your version of Ubuntu is at least up-to-date as well?

So, define a characterset in your site to avoid cross-character vulnerabilities where someone uses a different characterset to exploit weaknesses, set your metadata so that you're not announcing that you're using an outdated Nginx version, and for Pete's sake encrypt SOMETHING!
14528 cr points
Send Message: Send PM GB Post
38 / M
Offline
Posted 11/4/17 , edited 11/4/17
"It costs <insert amount> to implement the most basic security, so unless you can prove to us that we will lose this amount otherwise, fuck you" is the standard response I bet.

This needs to become a major news story, and not just in niche anime circles, for them to take a notice.
4023 cr points
Send Message: Send PM GB Post
Offline
Posted 11/4/17 , edited 11/4/17
What really annoys me is there is still be no public announcement. CR should have sent out emails as soon as this happened. As soon as they regained control over the site, they should have put up a big banner on the CR homepage linking to an explanation of what happened. As of yet, I haven't seen any of these things. This is a very irresponsible way to respond to this kind of hack. Less tech savy people or people who don't frequent the forums might still be installing the previously downloaded "crunchyrollviewer.exe" malware on their computer! Seems like CR cares more about protecting their PR than protecting their users.
54289 cr points
Send Message: Send PM GB Post
61 / M / Earth
Offline
Posted 11/4/17 , edited 11/5/17

Shisa03 wrote:

What really annoys me is there is still be no public announcement.


This is it, "datePublished":"2017-11-05T01:12:32

https://blog.ellation.com/crunchyroll-com-update-a2a593cf9155
2020 cr points
Send Message: Send PM GB Post
23 / M
Offline
Posted 11/5/17 , edited 11/5/17

D3m0n1q_733rz wrote:

Until Crunchyroll defaults to an HTTPS site, you're still asking for problems. I'm not the one that hacked you, but I've been telling you about these problems for over a year now and you've done nothing to fix them. Congrats on your recent failure.


You're right about this having been a thing for ages,
http://www.crunchyroll.com/forumtopic-984035/https?pg=0

HTTPS is not difficult or expensive to implement, and they already have certificates for it since the login page is secured.
From a technical standpoint the only thing holding CR back on doing this is effort.

Using Flash is another story, it's outdated and has been phased out on almost every other streaming service, including illegal ones.

It is beyond me why CR thinks it's OK to use 2003 era tech to back up a paid service .
8032 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/5/17 , edited 11/5/17
Well, as far as Flash goes, they require you to pay to use their outdated beta version of their video player that doesn't use flash. So, if you want security, shell out to beta test it.
But yes, people can still steal and modify cookies for login data.
Well, here's hoping they get on the ball about it.

Looking at the code, actually, it looks like I could optimize some of their Java to handle better compression and reduce server strain. If they just toss it into an optimizer, they'll reduce it by at least another 25% after compression.
108371 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 11/5/17 , edited 11/5/17

D3m0n1q_733rz wrote:

Well, as far as Flash goes, they require you to pay to use their outdated beta version of their video player that doesn't use flash.

My understanding is the beta HTML5 player was pulled a while back. Even if one had Premium+, it does not currently appear to be available.


Looking at the code, actually, it looks like I could optimize some of their Java to handle better compression and reduce server strain.

Are you confusing Java with javascript?

8032 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/5/17 , edited 11/5/17
Well there you go, they pulled the secure player out. But yes, I meant Javascript. I tend to work more with programming. But they need to get the HTML5 player running and replace Flash already. We've already had to change browsers just to use Crunchyroll. Chrome doesn't even support it anymore. It's about time they do something about getting up to date.
31 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 11/5/17 , edited 11/14/17

D3m0n1q_733rz wrote:

We've already had to change browsers just to use Crunchyroll. Chrome doesn't even support it anymore. It's about time they do something about getting up to date.


Do you mean that Chrome does not support running Crunchyroll? I'm pretty sure I'm using Chrome at the very moment I write this?
Anyways I do agree with you all that there are big and urgent improvements that should be made. They are getting paid to make a limited amount of animes available and while licensing is a big part of it, at least the site, webplayer and anything on the site should be secure enough to handle attacks. Why should one pay money gained with effort to a company that does not put in enough of their own effort? It should be basic knowledge for a company. Maybe they are too focused on trying to translate news of anime series coming up and news about manga and anime?

108371 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 11/5/17 , edited 11/6/17

D3m0n1q_733rz wrote:
We've already had to change browsers just to use Crunchyroll. Chrome doesn't even support it anymore.

A few minutes ago, using Chrome on my PC:



Your technical credibility is diminishing with each post.

8032 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/5/17 , edited 11/6/17
Are you using the most recent version of Chrome?
31 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 11/6/17 , edited 11/6/17

D3m0n1q_733rz wrote:

Are you using the most recent version of Chrome?


I actually wasn't. It was Version 61.0.3163.100. But now it's updated to Version 62.0.3202.75 (Official version) (64 bits) and it is working still. Could it be that something is out of date on your system that might be blocking the player or might be disabling the flash player? Well, in any case I'd like to repeat the actual topic of the post which is that Crunchyroll really should sharpen up their security.

108371 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 11/6/17 , edited 11/6/17

D3m0n1q_733rz wrote:

Are you using the most recent version of Chrome?




8032 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/6/17 , edited 11/6/17
After a bit more research, the problem is the SEI score in Chrome that will either ask you to enable Flash or it won't based on how often the site is visited with the browser. So, in essence, based on parameters, it would seem we're both right.
P-Rank 
420 cr points
Send Message: Send PM GB Post
31 / M / Massachusetts
Offline
Posted 11/6/17 , edited 11/28/17
The back-end of Crunchyroll is outsourced overseas on the cheap. That's why the sites video performance is spotty, there's constant down-times and why they're still using Flash. The quality vs subscription cost is absolutely outlandish and if there were a seriously better alternative I would use it. I would go so far as to say there's a serious opportunity for a competitor to swoop in at the moment considering how badly C.R is being handled.
First  Prev  1  2  Next  Last
You must be logged in to post.