As you may already know, we were damaged by a malicious attack that someone had found a way to forge login sessions to unauthorizedly access user's shop using a security hole in the OpenID backend (django-openid-auth) we are using.

The vulnerability was a flaw in the validation of the integrity of a request, allowing attackers to forge login sessions with other people's credential. We did not expect an open release nowadays would still being left out such security problem. We have already updated the package and it is confirmed that the vulnerability is fixed.

As for why the person who attacked us is on my friend list, that is just simply because I was trying to talk to him, and we did. At the end, he did not take full advantage of the security problem and did not brought us into an unrecoverable state. He even returned some of the items and told us what went wrong. We did not agree to what he did but we appreciate his help on fixing the problem.

And therefore we are going to implement a simple yet effective secondary authentication system that makes use of Steam, which is to add an additional security code system for shop owners to ensure that the user using the shop interface is the same person as the user on Steam. We will also disconnect your login session every 6 hours and upon browser closure.

The importance of this security code is that account theives will not be able to pass the code check unless they also have hijacked your steam account (which will be protected by SteamGuard), preventing unauthorized access using security holes in OpenID, cookies, or by other kind of replay attacks. It will also notify you of unauthorized access attempt when you receive unexpected message from our bot.

We understand that this would increase the complexity of the interface and making the site overall somewhat less convenient. However we consider this an essential change as it is better to also have Steam to protect (or reimburse) you. With the security code which is only sent to your Steam client, there is minimal chance for unauthorized access to cause you damage here, and you can claim insurance from Steam if you suffer loss from unauthorized trades.

This is also for the longevity of the website. As of now we are paying for all the loss that is caused by malicious attack. We cannot risk getting ourselves into similar situation again. We will add more defense even if you feel that they are inconvenient or unnecessary.

Thanks again for all your support, especially to people who have helped and donated during the incident.

Thanks for sorting this out in a timely fashion. Improved security is always better, and it'll still be quite convenient for people to use the website, IMO.

Hey Joto, I too have a suggestion,
Instead of authorization codes we should have authorization links be sent to our chat! I think it would be much easier and will save us a few seconds. I'm sure it will be harder to implement however so for the time being we should stick with codes.