Here are all issues made by the hacker on matrix github. They are no longer accessible via normal means, but luckily internet archive has a copy. SSH Agent Forwarding 2FA is gud Signing keys in...
Exemplary
Here are all issues made by the hacker on matrix github. They are no longer accessible via normal means, but luckily internet archive has a copy.
I wouldn't call it cool. He's an asshole for compromising all the data of innocent users. He was trying to make a point but it hurt people who had nothing to do with it. He should have privately...
I wouldn't call it cool. He's an asshole for compromising all the data of innocent users. He was trying to make a point but it hurt people who had nothing to do with it. He should have privately contacted them and told them about it instead.
Oh yes. I didn't mean that he was a cool person. Just that it was cool to see that. Don't know if i'm making any sense. It was just a cool part of a shitty thing.
Oh yes. I didn't mean that he was a cool person. Just that it was cool to see that.
Don't know if i'm making any sense. It was just a cool part of a shitty thing.
They explained, in detail, what vulnerabilities they took advantage of, and multiple ways that it could have been detected and prevented, and gave info about how to stop similar breaches from...
They explained, in detail, what vulnerabilities they took advantage of, and multiple ways that it could have been detected and prevented, and gave info about how to stop similar breaches from happening in the future.
That's a far better place to be starting from as the person trying to figure out what happened and what they need to fix, compared to "someone got in, but we have no idea how".
No one is hurt unless the data gets abused. Thankfully passwords were properly stored and messages were end to end encrypted so all the attacker would have had access to is a user list and who...
No one is hurt unless the data gets abused. Thankfully passwords were properly stored and messages were end to end encrypted so all the attacker would have had access to is a user list and who they were talking to which is not great but its not the end of the world.
There is no proof they actually took any data. They gained access to the server and redirected the website to a page showing they had access to the user list. They may not actually care for the...
There is no proof they actually took any data. They gained access to the server and redirected the website to a page showing they had access to the user list. They may not actually care for the data and just left it all on the server.
That's true, but they potentially did. Even if they took nothing, it's more of the principal that they messed with them instead of telling them privately.
There is no proof they actually took any data.
That's true, but they potentially did. Even if they took nothing, it's more of the principal that they messed with them instead of telling them privately.
It is not mentioned in the TL;DR on the top but according to an update they have now confirmed matrix.org password hashes have in fact been obtained from the production database, everyone who is...
It is not mentioned in the TL;DR on the top but according to an update they have now confirmed matrix.org password hashes have in fact been obtained from the production database, everyone who is registered on matrix.org or has bridged to IRC with it is advised to reset their passwords.
GPG keys for signing packages were also compromised, no update of Synapse had been pushed and only one for the Riot client but Matrix believed the latter update to have been secure.
I am glad Matrix seems to be open and not try to pretend that it isn't bad. Security is hard, and when things get broken, it is refreshing for organization to admit their failings.
I am glad Matrix seems to be open and not try to pretend that it isn't bad. Security is hard, and when things get broken, it is refreshing for organization to admit their failings.
Here are all issues made by the hacker on matrix github. They are no longer accessible via normal means, but luckily internet archive has a copy.
SSH Agent Forwarding
2FA is gud
Signing keys in production?!?
Monitor log files to avoid relying on external whitehats
Git is not a secret store
Ansible management of sshd_config
Controlled Production Access
Jenkins Slave listening to SSH on the internet
Principle of least privilige
It is odd for an attacker to give feedback right?
It was really cool.
I wouldn't call it cool. He's an asshole for compromising all the data of innocent users. He was trying to make a point but it hurt people who had nothing to do with it. He should have privately contacted them and told them about it instead.
Oh yes. I didn't mean that he was a cool person. Just that it was cool to see that.
Don't know if i'm making any sense. It was just a cool part of a shitty thing.
What was cool to see about it?
They explained, in detail, what vulnerabilities they took advantage of, and multiple ways that it could have been detected and prevented, and gave info about how to stop similar breaches from happening in the future.
That's a far better place to be starting from as the person trying to figure out what happened and what they need to fix, compared to "someone got in, but we have no idea how".
That is pretty interesting, I guess.
No one is hurt unless the data gets abused. Thankfully passwords were properly stored and messages were end to end encrypted so all the attacker would have had access to is a user list and who they were talking to which is not great but its not the end of the world.
That doesn't excuse the fact that he took it in the first place.
There is no proof they actually took any data. They gained access to the server and redirected the website to a page showing they had access to the user list. They may not actually care for the data and just left it all on the server.
That's true, but they potentially did. Even if they took nothing, it's more of the principal that they messed with them instead of telling them privately.
To have this person give feedback like that is truly fascinating to see. I wonder what their true intentions were?
It is not mentioned in the TL;DR on the top but according to an update they have now confirmed matrix.org password hashes have in fact been obtained from the production database, everyone who is registered on matrix.org or has bridged to IRC with it is advised to reset their passwords.
GPG keys for signing packages were also compromised, no update of Synapse had been pushed and only one for the Riot client but Matrix believed the latter update to have been secure.
I am glad Matrix seems to be open and not try to pretend that it isn't bad. Security is hard, and when things get broken, it is refreshing for organization to admit their failings.
"security incident". Whoopsie-daisy!
Bloody hell. "How to underrepresent the bad thing happened 101"