Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[IMPORTANT] Security Breach on blog.mozillakerala.org
3 views
Skip to first unread message
Shine Nelson
Mar 5, 2017, 2:58:33 PM3/5/17
to Community kerala, you...@mozilla.org.uk, t...@mozilla.org.uk
Hello,
This is to inform you that there was a major security incident that
occurred on the server that hosts mozillakerala.org,
blog.mozillakerala.org among many others.
TL;DR : If you still login to blog.mozillakerala.org using a username
and password, you should check your email for a reset link. If you can't
find it, ping me. In order to protect your own privacy, it is highly
recommended that you reset your password to the Mozilla Kerala Blog.
For those who use their Wordpress account to authenticate to the Mozilla
Kerala blog, this would not require any action from your end as the
incident affected only the local database.
* What Happened? *
A file that contained critical authentication information was found to
be compromised [1] on February 14, 2017. The server was then rebooted in
Rescue Mode by [:tad] to prevent further harm from being done (Thanks
Tad!). I was informed by [:jsx] the next day regarding the incident and
was pointed in the direction of the security bug. I attempted to do a
preliminary investigation regarding the incident, but was unable to
login to the server because I lacked the credentials to login to the
server in Rescue Mode. When I reached out to :tad, he asked me to reboot
to the server in normal mode and perform my investigation and fixes. As
I did so, I ensured that I had all the services talking to the internet
were stopped (to prevent further harm) before beginning my
investigation.
* Impact *
The file that was compromised had critical authentication information
regarding database access, authentication salts for users on the
Wordpress instance. This compromised the database as well as the
sessions of users who are already logged into the system.
* Resolution *
1. All system packages have been upgraded to their latest versions
(including security patches).
2. All passwords for all users (including the root user) on the database
have been changed.
3. Someone did manage to exploit the file and create a user with root
privileges on the database. The user has since been deleted from the
database.
4. The authentication salts from the existing installation of Wordpress
has been refreshed (existing salts were compromised from the file).
5. All Wordpress data from the existing database have been migrated over
to a new database.
* What this means to you (an end-user)? *
Since the authentication salts of the Wordpress instance have been
refreshed, your existing session on the blog would be invalidated. This
would require you to re-login to the Mozilla Kerala Blog.
If you are a regular Wordpress user and you have a Wordpress account, we
urge you to login using your Wordpress account so that authentication is
made easier with Wordpress (and such local incidents might not affect
you).
Other than this, we've also explicitly logged all users out of their
existing sessions, auto-generated strong new passwords and emailed them
with new password reset links. If you can't find the email in your
inbox, ping me.
I hope such scenarios don't happen in the future. I'd like to thank
Griffin Francis for identifying and reporting the bug. :tad for taking
timely action and putting the server in Rescue Mode to avoid further
harm. :jsx for informing me about the incident.
--
~ shine
Links :
[1] bugzil.la/1339335 (Requires wsec-disclosure privileges to be viewed)
This is to inform you that there was a major security incident that
occurred on the server that hosts mozillakerala.org,
blog.mozillakerala.org among many others.
TL;DR : If you still login to blog.mozillakerala.org using a username
and password, you should check your email for a reset link. If you can't
find it, ping me. In order to protect your own privacy, it is highly
recommended that you reset your password to the Mozilla Kerala Blog.
For those who use their Wordpress account to authenticate to the Mozilla
Kerala blog, this would not require any action from your end as the
incident affected only the local database.
* What Happened? *
A file that contained critical authentication information was found to
be compromised [1] on February 14, 2017. The server was then rebooted in
Rescue Mode by [:tad] to prevent further harm from being done (Thanks
Tad!). I was informed by [:jsx] the next day regarding the incident and
was pointed in the direction of the security bug. I attempted to do a
preliminary investigation regarding the incident, but was unable to
login to the server because I lacked the credentials to login to the
server in Rescue Mode. When I reached out to :tad, he asked me to reboot
to the server in normal mode and perform my investigation and fixes. As
I did so, I ensured that I had all the services talking to the internet
were stopped (to prevent further harm) before beginning my
investigation.
* Impact *
The file that was compromised had critical authentication information
regarding database access, authentication salts for users on the
Wordpress instance. This compromised the database as well as the
sessions of users who are already logged into the system.
* Resolution *
1. All system packages have been upgraded to their latest versions
(including security patches).
2. All passwords for all users (including the root user) on the database
have been changed.
3. Someone did manage to exploit the file and create a user with root
privileges on the database. The user has since been deleted from the
database.
4. The authentication salts from the existing installation of Wordpress
has been refreshed (existing salts were compromised from the file).
5. All Wordpress data from the existing database have been migrated over
to a new database.
* What this means to you (an end-user)? *
Since the authentication salts of the Wordpress instance have been
refreshed, your existing session on the blog would be invalidated. This
would require you to re-login to the Mozilla Kerala Blog.
If you are a regular Wordpress user and you have a Wordpress account, we
urge you to login using your Wordpress account so that authentication is
made easier with Wordpress (and such local incidents might not affect
you).
Other than this, we've also explicitly logged all users out of their
existing sessions, auto-generated strong new passwords and emailed them
with new password reset links. If you can't find the email in your
inbox, ping me.
I hope such scenarios don't happen in the future. I'd like to thank
Griffin Francis for identifying and reporting the bug. :tad for taking
timely action and putting the server in Rescue Mode to avoid further
harm. :jsx for informing me about the incident.
--
~ shine
Links :
[1] bugzil.la/1339335 (Requires wsec-disclosure privileges to be viewed)
Anush
Mar 6, 2017, 8:41:41 AM3/6/17
to Shine Nelson, you...@mozilla.org.uk, Tom Farrow, Community kerala
Thanks for the information Shine.
> _______________________________________________
> community-kerala mailing list
> communit...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/community-kerala
>
--
Anush
> community-kerala mailing list
> communit...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/community-kerala
>
--
Anush
0 new messages