Sunday, 6 September 2009

wykop.pl owned - data stolen

The news of the day in Poland is that wykop.pl - polish site doing the same stuff as digg.com - got owned in a pretty bad way - database with user's login credentials and e-mail addresses was stolen. This post is a result of gathering info from public sites (in Polish - mostly off Dziennik Internautow which gave nice coverage) so all of it is already in public domain - otherwise I wouldn't quote any fragments or call on any information given here.

Info about breach goes public

Following what Dziennik Internautow wrote in their post, on 5 Sep 2009 a person using nickname Gimbus1xD has informed administrators of wykop.pl about the breach (no link - original post taken down) and about the fact, that some of the information stolen was already used to compromise account held with other websites, including allegro.pl (auction system like eBay). To prove his revelations, Gimbus1xD posted also screen shots of compromised Allegro account with transactions that happened two days earlier and another one with PHPMyAdmin browsing 'users' table.

The scary part here is that as Gimbus1xD wrote, about 40% of those passwords have been broken (despite being hashed) with simple dictionary and brute-force attacks because passwords were up to 7 characters long.

Allegedly the database is in the hands of vichan.net admins, which again allegedly shared 'unhashed' database with their moderators - including Gimbus1xD, who broke the news. So far it's not clear what made Gimbus1xD change his mind and make this information public.

That's not yet the end...

Official version by wykop.pl

Few
hours after the first post by Gimbus1xD and hundreds of comments from
users, wykop.pl published 'press release' on their blog that a couple of weeks ago one of their test servers got broken into and that user's login credentials and e-mail addresses were stolen - that's for users that have registered before 31 March 2009.

Owners
of the site have also been blackmailed, so they have informed the Police about
the whole incident. One of the messages from wykop.pl admins suggests
that users were not informed about the breach because:

  1. as long as the
    blackmail negotiations are going on, there is a small chance that the
    information would be used for malicious purposes and
  2. because the
    Police asked not to publish any information, because other websites are
    involved also as victims - where wykop's users had accounts and shared
    the same passwords. In this case, that would be intentional, not to
    damage the investigation.
The only problem here is, that
depending on the note the time since when the company knew of the
breach is different, ranging from weeks to mere hours (that would only
suggest to me that they need dedicated spokesman).

... in business terms

I feel really sorry for those guys at wykop.pl. They have their hands tied behind their backs. On one hand they work with the law enforcement (good) but they have been forced to make this information public in a surprising twist of events (not planned for - not good). That doesn't really leave them in good light - some people will be shocked, some will understand. Now they can't say too much to avoid interfering with the investigation but again can't ignore voices of their users. That's really tough one!

How it all happened - more juicy bits

Some details were published by Gimbus1xD himself and that makes really interesting read! First of all, he provided screen shots mentioned earlier and IRC log from the whole event, where you can see how those guys got in.
The log is not censored he says, because all the entry points shown there have been already patched. Anyway it's very interesting to see what critical, unimaginable 'faults' were there at wykop.pl!

Let's make a very short list of what was so horribly wrong there, shall we?

  • Test/dev server placed on a public IP address for yet unknown reasons (Were admins/devs so lazy to have it so wide open to be able to work from home? Hello! VPN anyone?)
  • Seems like no firewall at all - hands up, pants down, epic fail!
  • Box not hardened, with interesting ports open (SSH, MySQL and others)
  • MySQL had no password set at all - wide wide open!

19:55 < mepholic> no root password on sql
19:56 < mepholic> mepholic@abydos:~$ mysql -h 91.102.117.202 -u root
19:56 < xxx> oh wow
19:56 < mepholic> Welcome to the MySQL monitor.  Commands end with ; or \g.
19:56 < mepholic> Your MySQL connection id is 73535
19:56 < mepholic> Server version: 5.1.34-0.dotdeb.1 (Debian)
19:56 < mepholic> Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
19:56 < a> nice!
19:56 < mepholic> mysql>
[...]
20:02 < mepholic> damn
20:02 < mepholic> there's absolutly no passwords in here
20:03 < mepholic> well like
20:03 < mepholic> oh fucking christ
20:03 < mepholic> mysql> show tables;
[...]
20:10 < mepholic> mysql> SELECT COUNT(*) FROM users;
20:10 < mepholic> +----------+
20:10 < mepholic> | COUNT(*) |
20:10 < mepholic> +----------+
20:10 < mepholic> |   118275 |
20:10 < mepholic> +----------+
20:10 < mepholic> 1 row in set (0.24 sec)
  • Who on earth imports old REAL DATA into dev server, especially a public one?!
Wrap up

Hey, I don't know how about you guys, but for me running a company this way is EPIC FAIL in itself and qualifies for Pwnie Award in category of Most Epic FAIL. You would expect people who run quite popular site (at least popular in Poland) to know what they are doing. Were there any controls in place, anything at all? Doesn't look like it :-(

I would write more, but that doesn't make any sense - they have hard time already and most of the scrunity and plain anger will come from their own users... so let's learn from their mistakes and not make those again in the future, anywhere, on any site! Of course we'll see what will come up in this case, what will be the outcome.