Hi,
I am sad to say that there was a compromise of the WineHQ database system.
What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.
We had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.
So we have removed all access to phpmyadmin from the outside world.
We do not believe the attackers obtained any other form of access to the system.
On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database).
Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.
This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.
We are going to be resetting every password and sending a private email to every affected user.
This is again another reminder to never use a common username / password pair. This web site provides further advice as well: http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-f...
I am very sad to have to report this. We have so many challenges in our world today that this is a particularly painful form of salt for our wounds.
However, I think it is urgent for everyone to know what happened.
Cheers,
Jeremy
Thank you so much for letting the users know so early on.
Bugzilla/forum passwords should probably be reset as well for appdb users, there's no doubt most people share passwords with the appdb.
On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White jwhite@codeweavers.com wrote:
Hi,
I am sad to say that there was a compromise of the WineHQ database system.
What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.
We had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.
So we have removed all access to phpmyadmin from the outside world.
We do not believe the attackers obtained any other form of access to the system.
On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database).
Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.
This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.
We are going to be resetting every password and sending a private email to every affected user.
This is again another reminder to never use a common username / password pair. This web site provides further advice as well: http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-f...
I am very sad to have to report this. We have so many challenges in our world today that this is a particularly painful form of salt for our wounds.
However, I think it is urgent for everyone to know what happened.
Cheers,
Jeremy
On Tue, Oct 11, 2011 at 8:46 PM, Jerome Leclanche adys.wh@gmail.com wrote:
Thank you so much for letting the users know so early on.
Bugzilla/forum passwords should probably be reset as well for appdb users, there's no doubt most people share passwords with the appdb.
On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White jwhite@codeweavers.com wrote:
Hi,
I am sad to say that there was a compromise of the WineHQ database system.
What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.
We had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.
So we have removed all access to phpmyadmin from the outside world.
We do not believe the attackers obtained any other form of access to the system.
On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database).
Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.
This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.
We are going to be resetting every password and sending a private email to every affected user.
This is again another reminder to never use a common username / password pair. This web site provides further advice as well: http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-f...
I am very sad to have to report this. We have so many challenges in our world today that this is a particularly painful form of salt for our wounds.
However, I think it is urgent for everyone to know what happened.
Cheers,
Jeremy
Nevermind... had not received the other emails yet.
Best of luck sorting it all out.
JL
2011/10/11 Jerome Leclanche adys.wh@gmail.com:
Thank you so much for letting the users know so early on.
Bugzilla/forum passwords should probably be reset as well for appdb users, there's no doubt most people share passwords with the appdb.
On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White jwhite@codeweavers.com wrote:
Hi,
I am sad to say that there was a compromise of the WineHQ database system.
What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.
We had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.
So we have removed all access to phpmyadmin from the outside world.
We do not believe the attackers obtained any other form of access to the system.
On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database).
Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.
This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.
We are going to be resetting every password and sending a private email to every affected user.
This is again another reminder to never use a common username / password pair. This web site provides further advice as well: http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-f...
I am very sad to have to report this. We have so many challenges in our world today that this is a particularly painful form of salt for our wounds.
However, I think it is urgent for everyone to know what happened.
Cheers,
Jeremy
Thanks for the early notice !
Testbot passwords should also be reset as it seems it doesn't allow password reset / change ATM. (At least I wasn't able to find that possibility)
Hey everyone,
On 10/11/2011 09:13 PM, Jeremy White wrote:
Hi,
I am sad to say that there was a compromise of the WineHQ database system.
What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.
We had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.
So we have removed all access to phpmyadmin from the outside world.
We do not believe the attackers obtained any other form of access to the system.
On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database).
Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.
This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.
You may also want to change your testbot password if you re-used your password.. https://testbot.winehq.org/ForgotPassword.pl
Cheers, Maarten
On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White jwhite@codeweavers.comwrote:
Hi,
I am sad to say that there was a compromise of the WineHQ database system.
<snip>
Hi,
one question. I'm not worried about my current account, but I had an old email with an old password recorded in my keychain store. I tried that email at appdb.winehq.org but it said "user does not exist". Can I assume it was completely deleted?
Regards,
On Oct 11, 2011, at 12:13 PM, Jeremy White wrote:
What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.
Insecure HTTP access?
Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.
This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
We are going to be resetting every password and sending a private email to every affected user.
You might also consider expiring old login cookies.
This is again another reminder to never use a common username / password pair. This web site provides further advice as well: http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-f...
Josh
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran josh@iswifter.net wrote:
On Oct 11, 2011, at 12:13 PM, Jeremy White wrote:
Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked.
This, I'm afraid, is a serious threat; it means that anyone who uses the same email / password on other systems is now vulnerable to a malicious attacker using that information to access their account.
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
Josh
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran josh@iswifter.net wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
Josh
2011/10/11 Josh Juran josh@iswifter.net:
On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran josh@iswifter.net wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
http://bugs.winehq.org/show_bug.cgi?id=23791
2011/10/11 Josh Juran josh@iswifter.net
On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran josh@iswifter.net wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope
none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very
smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
Josh
Shouldn't it be possible to modify the login environment so that a salted hash of the password is produced before sending it to the server, to strengthen the security a little bit?
On Oct 11, 2011, at 3:54 PM, Conan Kudo (ニール・ゴンパ) wrote:
2011/10/11 Josh Juran josh@iswifter.net
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Shouldn't it be possible to modify the login environment so that a salted hash of the password is produced before sending it to the server, to strengthen the security a little bit?
That protects the password itself, but not the privilege it guards.
It also essentially makes Javascript a requirement, which currently it isn't.
Josh
Hey,
On 10/12/2011 12:46 AM, Josh Juran wrote:
On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran josh@iswifter.net wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
If I go to any https://*.winehq.org website I get the certificate for test.winehq.org , otherwise you could use the firefox https anywhere to force https on.
Or better yet, force automatic redirect to https, with Strict-Transport-Security: https://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-f...
If winehq can't get more ips for every subdomain (ssl sucks), would the solution be moving it to https://winehq.org/%7Bbugs,appdb,test,source%7D ?
Cheers, Maarten
On Thu, Oct 13, 2011 at 10:23:58AM +0200, Maarten Lankhorst wrote:
Hey,
On 10/12/2011 12:46 AM, Josh Juran wrote:
On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran josh@iswifter.net wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
If I go to any https://*.winehq.org website I get the certificate for test.winehq.org , otherwise you could use the firefox https anywhere to force https on.
Or better yet, force automatic redirect to https, with Strict-Transport-Security: https://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-f...
If winehq can't get more ips for every subdomain (ssl sucks), would the solution be moving it to https://winehq.org/%7Bbugs,appdb,test,source%7D ?
Or a wildcard SSL cert for *.winehq.org.
Ciao, Marcus
On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White jwhite@codeweavers.com wrote:
Hi,
I am sad to say that there was a compromise of the WineHQ database system.
What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.
Jeremy,
Almost 2 years ago I have sent you an email privately about a security hole with the database. To be exactly, the date of the email is Wed, Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same trick the bad guys have used...
Kind regards,
Matijn Woudt
Almost 2 years ago I have sent you an email privately about a security hole with the database. To be exactly, the date of the email is Wed, Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same trick the bad guys have used...
Hmm. I can't find any such email in my archives - can you resend it to me? Are you sure it was me, and not the other Jeremy?
I'd be curious to see if it matches up to the forensics we have.
Cheers,
Jeremy
On 10/11/2011 09:13 PM, Jeremy White wrote:
I am sad to say that there was a compromise of the WineHQ database system.
"Nothing Is Invulnerable" So, now or later, your system will be compromised. The only thing you have to do is to be prepared to face an incident and of course secure your systems to slow the attacker(s) down.
The bugzilla case does not really worry me because it's only bugs. But as CEO, you have to protect your company and your customers.
I'm of course a simple "user" of wine and I have absolutely not the right to tell you what to do. But something was open, broken or whatever .. and now you have to spend time and energy to try to repair the breach. Just don't let it happen again. There are lots of methods to analyse risk. Depending on what level of security you want, it will cost more or less. Just think about it.
Anyway, thanks for the quick reply, communication is really important in this situation.
-
Austin English -
Conan Kudo (ニール・ゴンパ) -
GOUJON Alexandre -
Jeremy White -
Jerome Leclanche -
Josh Juran -
Maarten Lankhorst -
Marcus Meissner -
Matijn Woudt -
Nicolas Le Cam -
Per Johansson