Comments | avatraxiom: Improving Web Security: Six Ways the Apache.org JIRA Attack Could Have Been Prevented by Better Code

avatraxiom

Improving Web Security: Six Ways the Apache.org JIRA Attack Could Have Been Prevented by Better Code

Apr 13, 2010 04:14

Today it was revealed that servers at Apache.org and Atlassian were successfully attacked, leading to thousands of stolen passwords. The attack on apache.org's servers was via JIRA, and since the attack on Atlassian came from the same source, it probably was also through JIRA.

I'm sure that JIRA's programmers feel embarrassed enough about all of ( Read more... )

tech, security, bugzilla

Comments 15

ext_79132 April 13 2010, 13:02:34 UTC

Speaking as a Bugzilla developer, Bugzilla has been around for 12 years now. Most of these things Max points out above actually got learned by the Bugzilla developers the hard way over the last decade, and the knowledge has been passed along over the years. Hopefully sharing some of these things can help other projects not run into the same problems in the future.

jira anonymous April 13 2010, 17:29:36 UTC

Everybody makes mistakes... thanks, Max, we are definitely taking our lumps right now (and deservedly so). We will be releasing more information about the attack on Atlassian, soon. fyi

- Jon Silvers, Atlassian

Re: jira avatraxiom April 14 2010, 00:25:44 UTC

Hey Jon. You're welcome. I'm looking forward to hearing more about what happened at Atlassian--the educative process of disclosure in situations like this can sometimes be beneficial enough to the world at large to almost make up for the damage done.

-Max

One more thing ... anonymous April 13 2010, 18:05:43 UTC

Nice article. You missed one extremely important thing though: Always educate your users not to use any of 'love', 'sex', 'secrete' or 'god' as their passwords. Everybody knows that Hackers know these are the most common passwords ;)

Re: One more thing ... avatraxiom April 14 2010, 00:26:06 UTC

Hahahaha. Yay Hackers! :-D

-Max

Re: One more thing ... anonymous April 14 2010, 01:20:13 UTC

Hmm... secrete... kinky!

My Gmail account attempted anonymous April 14 2010, 00:44:19 UTC

Interestingly at 4:43AM AEST time I got an SMS and an email to my secondary email account asking for my password to be reset. Its sounds like the hackers got my gmail address and tried to access my gmail.. Thanks for the article.

Re: My Gmail account attempted avatraxiom April 14 2010, 08:41:25 UTC

Hmm. Not sure if that was related or not, but you're welcome.

HttpOnly is weak anonymous April 16 2010, 01:15:23 UTC

I appreciate the constructive tone of this article! But I gotta take issue with one of the recommendations here.

You write: "[HttpOnly] is one of the simplest and most effective protections". Baloney. It's simple, sure. But effective it is not. In most cases, anything an attacker can do without the HttpOnly flag, the attacker can do with the HttpOnly flag, at the cost of more work. It's a speedbump, not a robust protection.

Re: HttpOnly is weak avatraxiom April 16 2010, 04:47:03 UTC

It's not a useless protection, at all, though, which is what saying that it's "weak" implies. I'd like to see somebody steal a Bugzilla login cookie with an XSS (though there aren't any of that I know of), with Httponly on.

-Max

Re: HttpOnly is weak anonymous May 9 2010, 12:04:04 UTC

I'd just like to know how to steal a HttpOnly cookie by using XSS only, is it possible?