Forum Security Advisory

Discussion in 'Bukkit News' started by Kaelten, Dec 7, 2015.

Thread Status:
Not open for further replies.
  1. Offline


    This is one of those announcements that no one likes to write and absolutely no one likes to read.

    Recently one of our site administrator's accounts was compromised. Malicious third parties proceeded to use this access to inject a piece of malicious javascript on the forum templates allowing them to capture the login and plain text passwords of anyone that logged in to the forums while it was present. This attack was limited only to Bukkit's forums and did not affect other sites in the network.

    We were notified of this issue by a member of the community: Max Korlaar. We greatly appreciate them and their report, and will be offering them a bounty commiserate with their contribution. Additionally we'll be formalizing a full bug bounty program in the near future, as well as publishing reporting channels and standards for responsible disclosure.

    Upon receipt we immediately began investigating the report. This effort revealed several areas for us to address. Many of these required significant investigation to make sure they were resolved correctly. In an effort to prevent any future issues of this nature we're enabling SSL for the entirety of Bukkit's forums. As part of this advertisements will be disabled until such time as they can be delivered securely.

    Only a small portion of users are potentially subject to this advisory. Users who may have been affected will soon be receiving an email advising them personally of their potential impact. We recommend that those users change their passwords on the forums as well as any sites or services that share that password.

    In general sharing passwords on sites makes passwords easier to compromise. As such any sites that shared your password with the forums should be considered potentially compromised as well. It is strongly advised that the passwords you use are unique on every site, avoid utilizing common words, and have a good mix of upper case letters, lower case letters, numbers and special symbols.

    We take your privacy very seriously. The immediate security issues have been addressed and we're taking proactive measures to make sure that this cannot happen again. We are deeply sorry that this occurred and we thank you for your patience in dealing with this.
    Last edited: Dec 8, 2015
  2. Offline


    Curse broke it.
  3. Offline


    @Kaelten & Curse staff
    Thank you for addressing this. If only someone had known about this sooner, the damage could of been lessened, but better late than never, and thankfully it was disclosed properly.
    JohnCollin likes this.
  4. Offline

    mbaxter ʇıʞʞnq ɐ sɐɥ ı

    Thanks for the post, @Kaelten

    I have a few questions:

    1) According to Max, this problem was brought to your attention nearly one month ago, and (partially) resolved at that time. Why has it taken until now to inform those users they have been compromised potentially as long ago as August?

    2) From the IRC discussion today, one of the pieces of injected code wasn't actually removed until today. Obviously the past is the past and unchangeable but what are your (Curse's) plans going forward to ensure that, in the event of another security breach, all potentially exploited content is fully reviewed? It took a few people on IRC a very short period of time to identify the missed code.

    3) Security issues are stressful business. Here's a cat gif:
    xize, UnseenMC Network, C.L. and 8 others like this.
  5. Offline


    1) It was reported about then. The lag in the announcement has many contributors one of which was us trying to plug the original attack angle. Some of it is a process improvements we need to make internally to allow us to handle these more promptly. These improvements are currently under way.

    2) There was a bit of back and forth with the access as we completely flushed them out of the system. While it is not excusable that it was missed we were able to confirm that it was part of this same incident. And again we'll be improving the processes on our side to make this much less likely in the future.

    3) Cat pictures are always appreciated in times of crisis. :)
  6. Offline


    I have several bugs reported in Curse tickets, including one that is a security loophole in The ticket was set to resolved but none of the bugs were fixed. Whys that?
  7. Offline


    Please PM or email me about any security issues you've found. I'll make sure they're investigated fully.
  8. Offline


    Resent in PM.
  9. Would've been nice to know before they hacked our server. Or tried to...
    They used one of my co-owner's credentials (which they got from here), logged in on the forums and edited the forum template to include this lovely picture.

    PS: I didn't pay them and I don't recommend to anyone that they do so. Paying cyber-terrorists is like paying real terrorists - it'll just get them to want more money.
    Keep recent backups, and have an awesome ninja guy to save you when shit happens xD
  10. Offline


    Thanks for addressing this :).
    tomudding likes this.
  11. Offline


    To give everyone a fair warning:
    My Microsoft password was shared with my bukkit password. Dumb, I know.

    It was broken into about a week and a half ago from a geo-ip in Poland. I suspected brute force, then saw the post by @MegaMaxsterful

    These passwords are being exploited on other services. If you shared passwords between accounts, change them. NOW.

    Edit: geo-ip, not geopolitical. darn you autocorrect.

    I'm still very upset about how long it took to address the issue when this was reported over a month ago. It should have been addressed immedietly.
    Last edited: Dec 8, 2015
  12. Offline


    Thanks for the post.

    In what way do you expect SSL to help with this aim (does it relate to how the account was originally compromised)?

    Additionally, when do you expect to have the emails sent out? Will this be limited to people who logged in during the period the password logging script was in the template or will it (more appropriately, in my opinion) apply to everyone you can contact who visited any page on the forums whilst the <script> in div#copyright was in the relevant template given we don't know what the script did, whether it served malware/redirected users to phishing sites etc?

    Will you be forcing password resets for those you think had their passwords compromised?
    Last edited: Dec 8, 2015
  13. Offline


    Who would try to target such a wonderful community? Thank you guys for taking care of this!
  14. Offline


    If you have the same password for your Bukkit account as your email (which should never be done) change your email password also. Access to a user's email will allow them to have access to all your accounts associated with that email.
  15. Offline


    All of these 'site hackings' are a chain reaction of people using same password on multiple sites. This person then hijacked login forms on each site he could to furthur collect more passwords.

    No "Exploit" was used. Simply a chain of people re-using passwords and admin accounts down the chain being taken.
    rbrick and lol768 like this.
  16. Offline


    Not only this forum was affected, several others as well.
    MyzelYam likes this.
  17. Offline


    @MegaMaxsterful Do you know which? We should probably warn other communities held by Curse such as Minecraft Forums..
  18. Offline


    Don't worry - I'm sure Curse staff are already aware of this. The other forums are not owned by Curse and have already dealt with the issue :)
  19. Offline


    Yes. We suspect the most likely root cause was a man-in-the-middle attack while the admin was at a conference. We ruled out many other common methods including password reuse, and forensics lead us to believe there's not a compromised machine or smartphone involved.

    They'll be sent out by end of day today. We're including anyone who could possibly have been affected. This has been determined using all the data we have available.

    In XenForo the only way we found to do this would be to break everyone's passwords. While this could be done, it'd require everyone affected to perform a password reset. We decided not to go this route due to people not always having access to email addresses.

    If you're aware of a better way for us to implement a good password reset in XF please let me know.

    In this specific case I have a high degree of certainty that password reuse wasn't the culprit. However, you're absoluty correct. Password reuse is one of the biggest problems in internet security. I highly recommend utilities like 1Password and Lastpass to make management of divergent passwords viable.

    None of our other communities are affected by this attack to our knowledge.
  20. Offline


    So the site administrator account was only used to attack, one of the smallest Curse communities?
  21. Offline


    The admins use different passwords for each site. Gaining one of our passwords on any site, will only give access to that site. That is the reason we use different passwords for everything.
    ChipDev likes this.
  22. Offline


    Yes. This particular username/password set only had access to bukkit's forums.
  23. Offline


    @Kaelten can the exact time that the site was no longer infected be released? I changed my password yesterday but there are comments that the site was still infected for part of the day.
  24. Offline


    It was fairly early in the day, but I don't have an exact time stamp. If in doubt I'd suggest changing your password again.
    Mrs. bwfctower likes this.
  25. Offline


    Wait... so you recommended to us that we change our passwords when the site was still infected?

    When will/did the emails get sent out?
  26. Offline


    @Kaelten Thank godness. Because of reasons, I needed to change my password to something else on a lot of websites (a lot of website think I'm a robot, I really don't know why).
  27. Offline


    Here's how I'd do it.

  28. Offline


    No, this announcement was posted afterwards. Emails are going out today. :)

    Right, I was asking if that's built into XF and we missed it.
    teej107 likes this.
  29. Offline


    I'm unaware of any functionality built into XenForo that would be able to achieve what you want.

    With that said, my point is that it is possible to do as a direct result of XenForo's extensibility and I can't see any reason why it wouldn't already have been done at this point - especially given the number of PHP developers Curse employs.
  30. Offline


    You could have It were it requiresA Password Change upon login. Also could me If MY Password was Compromised? I Use my Password for Other sites but not important Ones like Paypal, Ebay, Amazon, Etc...
Thread Status:
Not open for further replies.

Share This Page