WineHQ database compromise

Open forum for end-user questions about Wine. Before asking questions, check out the Wiki as a first step.
Forum Rules
User avatar
jwhite
Wine Developer
Wine Developer
Posts: 14
Joined: Thu Feb 21, 2008 5:26 pm

WineHQ database compromise

Post by jwhite »

Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility. We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted). But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla. This means that they have all
of those emails, as well as the passwords. The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.

We are going to be resetting every password and sending a private email
to every affected user.

This is again another reminder to never use a common username / password
pair. This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/0 ... web-sites/

I am very sad to have to report this. We have so many challenges in our
world today that this is a particularly painful form of salt for our wounds.

However, I think it is urgent for everyone to know what happened.

Cheers,

Jeremy
Josh Juran

WineHQ database compromise

Post by Josh Juran »

On Oct 11, 2011, at 12:13 PM, Jeremy White wrote:
What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility. We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.
Insecure HTTP access?
Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla. This means that they have all
of those emails, as well as the passwords. The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
We are going to be resetting every password and sending a private email
to every affected user.
You might also consider expiring old login cookies.
This is again another reminder to never use a common username / password
pair. This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/0 ... web-sites/
Josh
jgonera
Newbie
Newbie
Posts: 1
Joined: Tue Oct 11, 2011 2:52 pm

Post by jgonera »

OK, it's good that you inform us. However, I have a few passwords that I cycle and I don't remember which one I was using here. Is there any way of viewing the old password?
User avatar
jnewman
Site Admin
Site Admin
Posts: 94
Joined: Thu Feb 21, 2008 3:23 pm

Post by jnewman »

jgonera wrote:OK, it's good that you inform us. However, I have a few passwords that I cycle and I don't remember which one I was using here. Is there any way of viewing the old password?
No, the passwords were encrypted. Best I could do would be to give you the hash of your old password.
rpetti
Newbie
Newbie
Posts: 3
Joined: Tue Oct 11, 2011 4:39 pm

Post by rpetti »

I think a hashed password is better than nothing. Who can we contact to get that information?
GlennLChugg
Level 2
Level 2
Posts: 11
Joined: Fri Oct 07, 2011 6:56 pm

Post by GlennLChugg »

I changed my password by pressing Forgot Password, so long as you have access to your eMail you signed up with you can use that to reset the password without knowing your old one. I had quite a few sites I had to change my password for, hate it when hackers do this stuff, it really isn't very polite.
rpetti
Newbie
Newbie
Posts: 3
Joined: Tue Oct 11, 2011 4:39 pm

Post by rpetti »

That's the problem. I don't know what my old password was, so I don't know what other sites, if any, I've used it for.
GlennLChugg
Level 2
Level 2
Posts: 11
Joined: Fri Oct 07, 2011 6:56 pm

Post by GlennLChugg »

Yeah, well in that case you'll have to change passwords on all your important sites where you have power/admin/mod abilities or you may just find that one of them will be taken over and cause damage/data loss.

I've just gone and changed 8 sites, I hope I remember them all now, thank god for cookies and online sync.
rpetti
Newbie
Newbie
Posts: 3
Joined: Tue Oct 11, 2011 4:39 pm

Post by rpetti »

jnewman: Can you please send me my old password hash via email? The account email is the same as this forum account.
Josh Juran

WineHQ database compromise

Post by Josh Juran »

On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <[email protected]> wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.

Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.

Josh
austin987
Wine Developer
Wine Developer
Posts: 2383
Joined: Fri Feb 22, 2008 8:19 pm

WineHQ database compromise

Post by austin987 »

2011/10/11 Josh Juran <[email protected]>:
On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <[email protected]> wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable.  (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.

Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
http://bugs.winehq.org/show_bug.cgi?id=23791

--
-Austin
Adys
Level 2
Level 2
Posts: 10
Joined: Fri Jul 04, 2008 9:32 pm

WineHQ database compromise

Post by Adys »

Thank you so much for letting the users know so early on.

Bugzilla/forum passwords should probably be reset as well for appdb
users, there's no doubt most people share passwords with the appdb.

On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White <[email protected]> wrote:
Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility.  We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted).  But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla.  This means that they have all
of those emails, as well as the passwords.  The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.

We are going to be resetting every password and sending a private email
to every affected user.

This is again another reminder to never use a common username / password
pair.  This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/0 ... web-sites/

I am very sad to have to report this.  We have so many challenges in our
world today that this is a particularly painful form of salt for our wounds.

However, I think it is urgent for everyone to know what happened.

Cheers,

Jeremy

Maarten Lankhorst

WineHQ database compromise

Post by Maarten Lankhorst »

Hey everyone,

On 10/11/2011 09:13 PM, Jeremy White wrote:
Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility. We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted). But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla. This means that they have all
of those emails, as well as the passwords. The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.
You may also want to change your testbot password if you re-used your password..
https://testbot.winehq.org/ForgotPassword.pl

Cheers,
Maarten
Nicolas Le Cam

WineHQ database compromise

Post by Nicolas Le Cam »

2011/10/11 Jerome Leclanche <[email protected]>:
Thank you so much for letting the users know so early on.

Bugzilla/forum passwords should probably be reset as well for appdb
users, there's no doubt most people share passwords with the appdb.

On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White <[email protected]> wrote:
Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility.  We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted).  But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla.  This means that they have all
of those emails, as well as the passwords.  The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.

We are going to be resetting every password and sending a private email
to every affected user.

This is again another reminder to never use a common username / password
pair.  This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/0 ... web-sites/

I am very sad to have to report this.  We have so many challenges in our
world today that this is a particularly painful form of salt for our wounds.

However, I think it is urgent for everyone to know what happened.

Cheers,

Jeremy


Thanks for the early notice !

Testbot passwords should also be reset as it seems it doesn't allow
password reset / change ATM. (At least I wasn't able to find that
possibility)

--
Nicolas Le Cam
Adys
Level 2
Level 2
Posts: 10
Joined: Fri Jul 04, 2008 9:32 pm

WineHQ database compromise

Post by Adys »

On Tue, Oct 11, 2011 at 8:46 PM, Jerome Leclanche <[email protected]> wrote:
Thank you so much for letting the users know so early on.

Bugzilla/forum passwords should probably be reset as well for appdb
users, there's no doubt most people share passwords with the appdb.

On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White <[email protected]> wrote:
Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility.  We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted).  But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla.  This means that they have all
of those emails, as well as the passwords.  The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.

We are going to be resetting every password and sending a private email
to every affected user.

This is again another reminder to never use a common username / password
pair.  This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/0 ... web-sites/

I am very sad to have to report this.  We have so many challenges in our
world today that this is a particularly painful form of salt for our wounds.

However, I think it is urgent for everyone to know what happened.

Cheers,

Jeremy


Nevermind... had not received the other emails yet.

Best of luck sorting it all out.


JL
Jhime
Level 1
Level 1
Posts: 6
Joined: Sun Jul 17, 2011 2:08 pm

WineHQ database compromise

Post by Jhime »

On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <[email protected]>wrote:
Hi,

I am sad to say that there was a compromise of the WineHQ database system.
<snip>

Hi,

one question. I'm not worried about my current account, but I had an old
email with an old password recorded in my keychain store. I tried that email
at appdb.winehq.org but it said "user does not exist". Can I assume it was
completely deleted?

Regards,
--
Per Johansson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-us ... hment.html>
Vasiliy Faronov

WineHQ database compromise

Post by Vasiliy Faronov »

Hi Jeremy,

Could you please reveal details on how the passwords were "encrypted"?
Which hash function, were they salted, was the salt compromised.

This would help the users evaluate just how much is "enough effort"
to crack the passwords.

Thank you.

--
Vasiliy Faronov
Rune K. Svendsen

WineHQ database compromise

Post by Rune K. Svendsen »

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla. This means that they have
all of those emails, as well as the passwords. The passwords are
stored encrypted, but with enough effort and depending on the quality
of the password, they can be cracked.
Could you please explain in detail how these passwords were "encrypted"?
Were they hashed? Using which hash function? Did you use a SALT?

I have a simple password that I use for sites like these, which means
that the hackers now have access to other forums and bug trackers I am
registered in. It's not a problem for me.
tijnema
Newbie
Newbie
Posts: 2
Joined: Mon Aug 30, 2010 7:48 pm

WineHQ database compromise

Post by tijnema »

On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <[email protected]> wrote:
Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility.  We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.
Jeremy,

Almost 2 years ago I have sent you an email privately about a security
hole with the database. To be exactly, the date of the email is Wed,
Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same
trick the bad guys have used...

Kind regards,

Matijn Woudt
Conan Kudo ($B%K!

WineHQ database compromise

Post by Conan Kudo ($B%K! »

On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <[email protected]> wrote:
On Oct 11, 2011, at 12:13 PM, Jeremy White wrote:
Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla. This means that they have all
of those emails, as well as the passwords. The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope
none of them were otherwise valuable. (Remember FireSheep?)

Josh

Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart...
Is there no way to replace this with some sort of client based hashing or
something?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-us ... hment.html>
Conan Kudo ($B%K!

WineHQ database compromise

Post by Conan Kudo ($B%K! »

2011/10/11 Josh Juran <[email protected]>
On Oct 11, 2011, at 3:37 PM, Conan Kudo ($B%K!<%k!&%4%s%Q(B) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <[email protected]> wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope
none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very
smart... Is there no way to replace this with some sort of client based
hashing or something?

To clarify, your browser sends your password to bugzilla in cleartext,
since HTTPS isn't an option.

Firesheep was a lesson that even once passwords are secure, session
credentials are still vulnerable to sniffing. Some sites went to HTTPS-only
sessions after that.

Josh


Shouldn't it be possible to modify the login environment so that a salted
hash of the password is produced before sending it to the server, to
strengthen the security a little bit?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-us ... hment.html>
Josh Juran

WineHQ database compromise

Post by Josh Juran »

On Oct 11, 2011, at 3:54 PM, Conan Kudo ($B%K!<%k!&%4%s%Q(B) wrote:
2011/10/11 Josh Juran <[email protected]>
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Shouldn't it be possible to modify the login environment so that a salted hash of the password is produced before sending it to the server, to strengthen the security a little bit?
That protects the password itself, but not the privilege it guards.

It also essentially makes Javascript a requirement, which currently it isn't.

Josh
GlennLChugg
Level 2
Level 2
Posts: 11
Joined: Fri Oct 07, 2011 6:56 pm

Re: WineHQ database compromise

Post by GlennLChugg »

tijnema wrote:On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <[email protected]> wrote:
Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility.  We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.
Jeremy,

Almost 2 years ago I have sent you an email privately about a security
hole with the database. To be exactly, the date of the email is Wed,
Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same
trick the bad guys have used...

Kind regards,

Matijn Woudt
Hindsight, this would have been worth re-mentioning (at least once every few months), or IT WAS YOU :P, you knew a way to access the data and decided that if they weren't gonna patch the hole that you could grab the data and show them how wrong it was to ignore you :D (Joking... or am I).

Seriously, security is mostly a joke, if someone wants to get access they can/will, but that is not to say you make it easier for them by leaving holes in your security. I hope in the future reports are treated very serious. PHP is one of the most hackable web services, I am surprised WineHQ has been left alone this long, all my forums have been targeted at one stage of their life cycle. But I now know a way around the security issues (no I wont share or it'll be targeted too).
C3PO
Level 2
Level 2
Posts: 14
Joined: Tue Aug 30, 2011 4:12 am

WineHQ database compromise

Post by C3PO »

Hello Jwhite,

Could you share the encryption procedure your system was using to store the hashes in the database? Was it using the secret word
which all so became a public domain? Was it a default Bugzilla authorization method? How much time it would require to brute force the passwords?

In the future try to avoid using "out of the box" encryption which allows passwords to be brute forced. If an attacker wouldn't know
the algorithm the hash was generated with it would be nearly impossible to brute force the hashes.

I recommend to move the authorization mechanics out of the host directories in a way which would prevent an attacker
who gained control over the virtual host files to read authorization algorithms.

How is it possible that you don't know how the passwords were stolen but you know that they were stolen? Aren't there HTTP secure log archive?
Check out host secure log. It's important to understand how the info leaked to close the leak. May be an attacker gained
access to another virtual host and through that access downloaded the database. In this case you may loose information again.

The key to the answer HOW is apache & mysql logs, scrutinize them and you'll understand what happened. If there is an unknown bug in mysqladmin you
will immediately catch it. At least you will know if an attacker got DB access through your host.


Many people around here might be interested if it's really worth changing passwords which are at least 6 letters in length.


You told us that phpmyadmin was obfuscated, it excludes a scanner getting access over the database.
Hacking WINE bugzilla is a foul job and only a teenager kid (or an man which is still young in his soul) would ever do that.
Kids are usually gaining access to the filesystem first. Check out if there is a change in templates... which leaked
the cookies or passwords in files which could be read.

The worst thing that could happen is that the passwords would be decrypted and added to the automatic scanners which probe
the online services but I doubt that kind of intelligence from a person hacking bugzillas.


Thanks for letting us know most of the services prefer to keep silence over these problems.

--
Best regards,
Igor mailto:[email protected]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-us ... hment.html>
Eric King

WineHQ database compromise

Post by Eric King »

Could I get my old password hash as well? My Bugzilla account was registered with a different email address, send me a message to this one and I'll respond from the correct one. Seems to me that a savvy hacker might note a request in the open here as a good account to start attacking first.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-us ... hment.html>
Locked