Hi, I am sad to say that there was a compromise of the WineHQ database system. What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin. We had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient. So we have removed all access to phpmyadmin from the outside world. We do not believe the attackers obtained any other form of access to the system. On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database). Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked. This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account. We are going to be resetting every password and sending a private email to every affected user. This is again another reminder to never use a common username / password pair. This web site provides further advice as well: http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/ I am very sad to have to report this. We have so many challenges in our world today that this is a particularly painful form of salt for our wounds. However, I think it is urgent for everyone to know what happened. Cheers, Jeremy
Thank you so much for letting the users know so early on. Bugzilla/forum passwords should probably be reset as well for appdb users, there's no doubt most people share passwords with the appdb. On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White <jwhite at codeweavers.com> wrote:> Hi, > > I am sad to say that there was a compromise of the WineHQ database system. > > What we know at this point that someone was able to obtain unauthorized > access to the phpmyadmin utility. ?We do not exactly how they obtained > access; it was either by compromising an admins credentials, or by > exploiting an unpatched vulnerability in phpmyadmin. > > We had reluctantly provided access to phpmyadmin to the appdb developers > (it is a very handy tool, and something they very much wanted). ?But it > is a prime target for hackers, and apparently our best efforts at > obscuring it and patching it were not sufficient. > > So we have removed all access to phpmyadmin from the outside world. > > We do not believe the attackers obtained any other form of access to the > system. > > On the one hand, we saw no evidence of harm to any database. We saw no > evidence of any attempt to change the database (and candidly, using the > real appdb or bugzilla is the easy way to change the database). > > Unfortunately, the attackers were able to download the full login > database for both the appdb and bugzilla. ?This means that they have all > of those emails, as well as the passwords. ?The passwords are stored > encrypted, but with enough effort and depending on the quality of the > password, they can be cracked. > > This, I'm afraid, is a serious threat; it means that anyone who uses the > same email / password on other systems is now vulnerable to a malicious > attacker using that information to access their account. > > We are going to be resetting every password and sending a private email > to every affected user. > > This is again another reminder to never use a common username / password > pair. ?This web site provides further advice as well: > http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/ > > I am very sad to have to report this. ?We have so many challenges in our > world today that this is a particularly painful form of salt for our wounds. > > However, I think it is urgent for everyone to know what happened. > > Cheers, > > Jeremy > > >
Hey everyone, On 10/11/2011 09:13 PM, Jeremy White wrote:> Hi, > > I am sad to say that there was a compromise of the WineHQ database system. > > What we know at this point that someone was able to obtain unauthorized > access to the phpmyadmin utility. We do not exactly how they obtained > access; it was either by compromising an admins credentials, or by > exploiting an unpatched vulnerability in phpmyadmin. > > We had reluctantly provided access to phpmyadmin to the appdb developers > (it is a very handy tool, and something they very much wanted). But it > is a prime target for hackers, and apparently our best efforts at > obscuring it and patching it were not sufficient. > > So we have removed all access to phpmyadmin from the outside world. > > We do not believe the attackers obtained any other form of access to the > system. > > On the one hand, we saw no evidence of harm to any database. We saw no > evidence of any attempt to change the database (and candidly, using the > real appdb or bugzilla is the easy way to change the database). > > Unfortunately, the attackers were able to download the full login > database for both the appdb and bugzilla. This means that they have all > of those emails, as well as the passwords. The passwords are stored > encrypted, but with enough effort and depending on the quality of the > password, they can be cracked. > > This, I'm afraid, is a serious threat; it means that anyone who uses the > same email / password on other systems is now vulnerable to a malicious > attacker using that information to access their account. >You may also want to change your testbot password if you re-used your password.. https://testbot.winehq.org/ForgotPassword.pl Cheers, Maarten
On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <jwhite at codeweavers.com>wrote:> Hi, > > I am sad to say that there was a compromise of the WineHQ database system. ><snip> Hi, one question. I'm not worried about my current account, but I had an old email with an old password recorded in my keychain store. I tried that email at appdb.winehq.org but it said "user does not exist". Can I assume it was completely deleted? Regards, -- Per Johansson -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/2944ea43/attachment.html>
On Oct 11, 2011, at 12:13 PM, Jeremy White wrote:> What we know at this point that someone was able to obtain unauthorized > access to the phpmyadmin utility. We do not exactly how they obtained > access; it was either by compromising an admins credentials, or by > exploiting an unpatched vulnerability in phpmyadmin.Insecure HTTP access?> Unfortunately, the attackers were able to download the full login > database for both the appdb and bugzilla. This means that they have all > of those emails, as well as the passwords. The passwords are stored > encrypted, but with enough effort and depending on the quality of the > password, they can be cracked. > > This, I'm afraid, is a serious threat; it means that anyone who uses the > same email / password on other systems is now vulnerable to a malicious > attacker using that information to access their account.Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)> We are going to be resetting every password and sending a private email > to every affected user.You might also consider expiring old login cookies.> This is again another reminder to never use a common username / password > pair. This web site provides further advice as well: > http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/Josh
OK, it's good that you inform us. However, I have a few passwords that I cycle and I don't remember which one I was using here. Is there any way of viewing the old password?
Hi Jeremy, Could you please reveal details on how the passwords were "encrypted"? Which hash function, were they salted, was the salt compromised. This would help the users evaluate just how much is "enough effort" to crack the passwords. Thank you. -- Vasiliy Faronov
> Unfortunately, the attackers were able to download the full login > database for both the appdb and bugzilla. This means that they have > all of those emails, as well as the passwords. The passwords are > stored encrypted, but with enough effort and depending on the quality > of the password, they can be cracked.Could you please explain in detail how these passwords were "encrypted"? Were they hashed? Using which hash function? Did you use a SALT? I have a simple password that I use for sites like these, which means that the hackers now have access to other forums and bug trackers I am registered in. It's not a problem for me.
On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <jwhite at codeweavers.com> wrote:> Hi, > > I am sad to say that there was a compromise of the WineHQ database system. > > What we know at this point that someone was able to obtain unauthorized > access to the phpmyadmin utility. ?We do not exactly how they obtained > access; it was either by compromising an admins credentials, or by > exploiting an unpatched vulnerability in phpmyadmin. >Jeremy, Almost 2 years ago I have sent you an email privately about a security hole with the database. To be exactly, the date of the email is Wed, Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same trick the bad guys have used... Kind regards, Matijn Woudt
Hello Jwhite, Could you share the encryption procedure your system was using to store the hashes in the database? Was it using the secret word which all so became a public domain? Was it a default Bugzilla authorization method? How much time it would require to brute force the passwords? In the future try to avoid using "out of the box" encryption which allows passwords to be brute forced. If an attacker wouldn't know the algorithm the hash was generated with it would be nearly impossible to brute force the hashes. I recommend to move the authorization mechanics out of the host directories in a way which would prevent an attacker who gained control over the virtual host files to read authorization algorithms. How is it possible that you don't know how the passwords were stolen but you know that they were stolen? Aren't there HTTP secure log archive? Check out host secure log. It's important to understand how the info leaked to close the leak. May be an attacker gained access to another virtual host and through that access downloaded the database. In this case you may loose information again. The key to the answer HOW is apache & mysql logs, scrutinize them and you'll understand what happened. If there is an unknown bug in mysqladmin you will immediately catch it. At least you will know if an attacker got DB access through your host. Many people around here might be interested if it's really worth changing passwords which are at least 6 letters in length. You told us that phpmyadmin was obfuscated, it excludes a scanner getting access over the database. Hacking WINE bugzilla is a foul job and only a teenager kid (or an man which is still young in his soul) would ever do that. Kids are usually gaining access to the filesystem first. Check out if there is a change in templates... which leaked the cookies or passwords in files which could be read. The worst thing that could happen is that the passwords would be decrypted and added to the automatic scanners which probe the online services but I doubt that kind of intelligence from a person hacking bugzillas. Thanks for letting us know most of the services prefer to keep silence over these problems. -- Best regards, Igor mailto:sprog at online.ru -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111012/1a7d8050/attachment.html>
Hello Jwhite, Could you share the encryption procedure your system was using to store the hashes in the database? Was it using the secret word which all so became a public domain? Was it a default Bugzilla authorization method? How much time it would require to brute force the passwords? In the future try to avoid using "out of the box" encryption which allows passwords to be brute forced. If an attacker wouldn''t know the algorithm the hash was generated with it would be nearly impossible to brute force the hashes. I recommend to move the authorization mechanics out of the host directories in a way which would prevent an attacker who gained control over the virtual host files to read authorization algorithms. How is it possible that you don''t know how the passwords were stolen but you know that they were stolen? Aren''t there HTTP secure log archive? Check out host secure log. It''s important to understand how the info leaked to close the leak. May be an attacker gained access to another virtual host and through that access downloaded the database. In this case you may loose information again. The key to the answer HOW is apache & mysql logs, scrutinize them and you''ll understand what happened. If there is an unknown bug in mysqladmin you will immediately catch it. At least you will know if an attacker got DB access through your host. Many people around here might be interested if it''s really worth changing passwords which are at least 6 letters in length. You told us that phpmyadmin was obfuscated, it excludes a scanner getting access over the database. Hacking WINE bugzilla is a foul job and only a teenager kid (or an man which is still young in his soul) would ever do that. Kids are usually gaining access to the filesystem first. Check out if there is a change in templates... which leaked the cookies or passwords in files which could be read. The worst thing that could happen is that the passwords would be decrypted and added to the automatic scanners which probe the online services but I doubt that kind of intelligence from a person hacking bugzillas. Thanks for letting us know most of the services prefer to keep silence over these problems. -- Best regards, Igor mailto:sprog at online.ru -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111012/1a7d8050/attachment.html>
tijnema wrote:> On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <jwhite at codeweavers.com> wrote: > > > Hi, > > > > I am sad to say that there was a compromise of the WineHQ database system. > > > > What we know at this point that someone was able to obtain unauthorized > > access to the phpmyadmin utility. ??We do not exactly how they obtained > > access; it was either by compromising an admins credentials, or by > > exploiting an unpatched vulnerability in phpmyadmin. > > > > > > Jeremy, > > Almost 2 years ago I have sent you an email privately about a security > hole with the database. To be exactly, the date of the email is Wed, > Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same > trick the bad guys have used... > > Kind regards, > > Matijn WoudtHindsight, this would have been worth re-mentioning (at least once every few months), or IT WAS YOU :P, you knew a way to access the data and decided that if they weren't gonna patch the hole that you could grab the data and show them how wrong it was to ignore you :D (Joking... or am I). Seriously, security is mostly a joke, if someone wants to get access they can/will, but that is not to say you make it easier for them by leaving holes in your security. I hope in the future reports are treated very serious. PHP is one of the most hackable web services, I am surprised WineHQ has been left alone this long, all my forums have been targeted at one stage of their life cycle. But I now know a way around the security issues (no I wont share or it'll be targeted too).
Could I get my old password hash as well? My Bugzilla account was registered with a different email address, send me a message to this one and I'll respond from the correct one. Seems to me that a savvy hacker might note a request in the open here as a good account to start attacking first. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/72a8764d/attachment.html>
It is time to think what is wrong and what should be improved, codeweavers needs to implement HTTPS (at least with a self signed cert, to save money, so that it is up to the user to verify the cert) and DNSSEC should also be implemented like Debian, Mozilla and tor websites. -- Thanks
i can't believe you sent emails with passwords in cleartext. thank you so much. -p ? Paul Nakada paulnakada at yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/2deb309d/attachment.html>
> That's the problem. I don't know what my old password was, so I don't> know what other sites, if any, I've used it for. I've just used http://wejn.org/stuff/moz-export.html to discover it (works on GNU/Linux; I'm not an expert but from the source doesn't seem to forward your passwords to anyone). Nemo
jwhite wrote:> > On the other hand, if you use a password that is a dictionary word, > or only a trivial distance from a dictionary word, then I would suspect > your password would fall to a fairly basic dictionary attack.Regardless of this incident, anyone using such passwords needs to change them anyways, so maybe this can work as a wake up call. Someone recently broke one of my gmail accounts somehow that was using 7 characters letters and numbers, no words... luckily I don't keep anyone in my online address book except my other accounts, so I just got spammed from my own account and Google disabled my account temporarily due to suspicious activity. Seems like the days for 15 character complex password requirements are getting here soon.
On 10/11/2011 09:13 PM, Jeremy White wrote:> I am sad to say that there was a compromise of the WineHQ database system."Nothing Is Invulnerable" So, now or later, your system will be compromised. The only thing you have to do is to be prepared to face an incident and of course secure your systems to slow the attacker(s) down. The bugzilla case does not really worry me because it's only bugs. But as CEO, you have to protect your company and your customers. I'm of course a simple "user" of wine and I have absolutely not the right to tell you what to do. But something was open, broken or whatever .. and now you have to spend time and energy to try to repair the breach. Just don't let it happen again. There are lots of methods to analyse risk. Depending on what level of security you want, it will cost more or less. Just think about it. Anyway, thanks for the quick reply, communication is really important in this situation.