VR Avatar Marketplace to Buy and Sell 3D Avatars, Assets & Accessories.

Avatown Security Incident Report & Action Plan

Transparency Report – Dec 15, 2024

Following the security incident on December 2nd, 2024, we have been continuously investigating security issues and, with the community’s cooperation, have conducted detailed analysis of what actually occurred and its impacts. We are deeply grateful to all community members who have collaborated with Avatown during this process.

Before moving on to the detailed report, we are announcing the launch of our Security Council Program.

We are recruiting community members who can help strengthen our security measures. We would be grateful for your assistance in improving Avatown’s security.

Benefits include:

  • Recognition of your contributions in Social medias and the popular world: The Avatar Studio
  • Early access to test new Avatown features
  • Other incentives will be announced soon in the program details

For more details, please look forward to our upcoming Security Council Program announcement.

Overview

Correction: Our Misidentification of the Security Reporter

Firstly, our investigation revealed that the reporter had actually sent supportive messages about our platform 5 days prior to the incident (which we unfortunately discovered a week later from the incident in Discord’s spam folder). This indicates their actions were not malicious in nature.

In light of this, we acknowledge that we may have misjudged the situation by initially characterizing the reporter as a malicious actor. This was due to our limited understanding of the full context at the time.

Identified Security Vulnerabilities

  1. API Endpoint Exposure Exposed API endpoints enabled unauthorized modification of users’ own product information through bypass of standard authorization workflows.
  2. Cross-Site Scripting (XSS) Vulnerability Cross-Site Scripting (XSS) Vulnerability Detected in Product Registration Form
  3. Product publication approval Bypass Security weakness An unauthorized publication pathway was identified, enabling users to bypass standard approval workflows for their own products.

Countermeasures for each vulnerability

  1. For API Endpoint Exposure Investigation confirmed multiple API endpoint vulnerabilities in the product information management system. Key remediation actions included:
    • Implementation of enhanced autholrization controls
    • Strengthening of request validation parameters
    • Decommissioning of unnecessary API endpoints
    All vulnerabilities have been patched and verified through security testing.
  2. For Cross-Site Scripting (XSS) Vulnerability We added sanitization of user input on both frontend and backend, making sure no scripts or unwanted tags can be added in the data. It happened by the missing sanitizer implementation, which occurred due to our inadequate supervision of the junior developer’s work. While we have been conducting individual testing and checks, we recognize this was insufficient. We are taking corrective action by improving our testing workflow, adding thorough senior engineer reviews, and implementing comprehensive test automation to prevent similar oversights in the future.
  3. For Product publication approval Bypass Security weakness Investigation revealed that in the beta version of the product, there was a route that allowed products to be published without an approval process, which was accessible from the client side. This was a development team’s oversight during specification changes from the beta version. We have already improved the system to prevent unauthorized product listings through this route.

Impact on Users

Following the part of the reports regarding potential price manipulation concerns, our security review confirmed that server-side verification systems successfully prevented any unauthorized price alterations. While no customer transactions or data were affected, we appreciate this valuable feedback which helps us strengthen our security measures. We are implementing additional safeguards to further enhance system protection and ensure continued safe service for our users.

Timeline of Events (PST) style 2

  • Nov 29 8:10pm : The Reporter had sent us a message expressing their support for us. Furthermore, considering that Yuta is Japanese, they had even included a Japanese translation of their message. Screenshot 2024-12-12 at 23.22.52.png (This was our fault – the message was automatically sorted into spam, and since there were no notifications, Yuta, who had not made a habit of checking spam folders, was unaware of the message’s existence since Dec 9.)
  • Dec 2, 1:52pm : The reporter created an account
  • Dec 2, 2:12pm : The reporter posted their report about CORS misconfiguration and server security issue however Screenshot 2024-12-02 at 22.32.32 copy.png Our mistake: The first message we actually saw from the Reporter was this one, and we mistakenly interpreted it as someone trying to vandalize our service.
  • Dec 2, 2:22pm : The reporter starts 1st DDos attack test and successfully prevented
  • Dec 2, 3:20pm : The reporter edited some data of the reporter’ own product through API endpoint(API endpoints vulnerability)
  • Dec 2, 3:29pm : The reporter purchased the reporter’ own product through API endpoint(API endpoints vulnerability)
  • Dec 2, 3:35pm: Avatown initiated immediate security investigation
  • Dec 2, 3:45pm: Avatown found the reporter’ XSS attempt to embed videos through (XSS Vulnerability)
  • Dec 2, 4:00pm: Following completion of our initial incident analysis, Avatown have transitioned to conducting an in-depth investigation of the API endpoints
  • Dec 2, 5:42pm: The reporter made posts the report on X (Twitter)
  • Dec 2, 5:55pm: Avatown ran a system security update
  • Dec 2, 6:00pm: Investigation has begun regarding issues reported on Twitter
  • Dec 2, 8:30pm: Due to unverifiable claims found in the Twitter posts, Avatown initiated a server shutdown as a precautionary measure to protect customer data
  • Dec 2, 10:30pm: Avatown conducted thorough system testing to replicate all reported security issues. Our comprehensive investigation found some of vulnerabilities from the report. And we have implemented improvements and patches to address several vulnerabilities that could be fixed immediately.
  • Dec 3, 7:32pm: All emergency security checks and updates have been completed, and services have been restored
  • Dec 3, 9:09pm: Someone started 2nd DDoS attack and successfully prevented
  • Dec 3 1:52pm: The reporter attempts to modify other users’ product information as a test from accounts associated with the reporter’ domain and successfully prevented
  • Dec 9: Yuta found the DM message from the reporter in the spam folder of Discord and have sent an apology message for mistakenly identifying the Reporter as an attacker.

Detailed verification of the reports of vulnerabilities

  1. CORS misconfiguration: Screenshot 2024-12-02 at 22.32.32 copy 2.png There are no CORS or security issues present as this endpoint is a “GET” endpoint and is not meant to be accessed directly from browsers or client applications. It is a “POST” endpoint and expects a request body along with necessary fields to respond, and through our defined origins which are configured in CORS, hence the 500 error code. This endpoint works exactly the way it is designed.
  2. Severe security issues: Screenshot 2024-12-02 at 22.32.32 copy 3.png We assess that the reported server security concern suggests a potential risk of data leakage from authenticated APIs when the previously mentioned XSS attacks coincide with CORS configuration issues. As mentioned earlier, the CORS settings are functioning as intended, and the origin settings are properly configured, so we suspect this is a misidentification on the reporter’s part. After conducting a thorough investigation of all systems, we found no problematic issues concerning the server.
  3. Bypassing product approval process: Screenshot 2024-12-02 at 19.52.42 copy.png This assertion is entirely correct. During the beta phase, the admin approval process was not in place, which left a hidden option still open in the API endpoint that allowed users to publish products directly without approval. This issue has already been resolved by removing the approval bypass route from the client side.
  4. Ability to purchase anything for Free/Any Price: Free purchase.png Regarding this point, we were unable to reproduce the issue described in this post. Even if this request were to be sent, the payment would be processed at the original product price because there is a server-side price verification process in place. We believe this report served as a helpful reminder to verify whether Avatown has proper server-side checks in place, and we are grateful for the Reporter’s thoughtful concern.
  5. The reporter dedicated multiple hours to vulnerability testing: Screenshot 2024-12-02 at 19.52.47.png After checking the logs, it appears that the reporter actually spent several hours conducting tests. We are deeply grateful for their support in improving our security. This incident has provided us with an opportunity to conduct a detailed security audit of other potential issues as well.

Moving Forward

We’re going to have:

  • Security bug bounty program
  • Regular security audits
  • Monthly Security report

Conclusion

We failed in our initial communication with the reporter and incorrectly identified them as a malicious attacker. While the report contained some misleading elements, such as suggesting the ability to purchase others’ items at modified prices (which is actually impossible due to server-side price verification), it ultimately highlighted valid vulnerabilities that Avatown needed to improve upon and contained valuable information.

We are grateful to the reporter for discovering these vulnerabilities and providing us with an opportunity for growth.

Avatown has already applied security patches addressing the reported issues and other vulnerabilities, and we have completed all necessary security improvements. Moving forward, to better protect our customers’ information, we will continue to enhance our security through regular security audits and security checks in collaboration with external partners.

FAQ

Q: Was my data compromised?

A: No. Our investigation confirmed that no user data was accessed or compromised.

Q: Are my product and purchases safe?

A: Yes, absolutely. All avatar files and transaction records remain secure.

Q: Do I need to change my password?

A: While not necessary, we always recommend regular password updates as good security practice.

Q: How can I contact support with concerns?

A: Our support team is available please mention Support team on Discord @Yuta, @potatochips, @SubieRew or @Shathyan, or you can send an email directly to the Founder yuta@goavatown.com

Our Commitment

At Avatown, your security is our top priority. We believe in full transparency and will continue to keep you informed about our security measures and any potential concerns.

Thank you for supporting Avatown. We remain committed to providing you with the safest platform for your virtual expression.

0308_logo_avatown_1_basic.jpg

Leave a Reply

Your email address will not be published. Required fields are marked *