Corona site down/hacked?

FearTec · June 3, 2014, 8:24pm

Hello

Your website is broken for me

A full backup tar file in the root folder is not a good sign, hackers would have grabbed your entire site and potentially database accounts. (Yes the file was accessible (5 second download test)).

Q1) Is the ww.coronalabs.com database on the same server as http://forums.coronalabs.com ?

Q2) Do you hash/salt your passwords for for user?

Public Disclosure/Password reset time?

The entire website structure was browsable for 15+ minutes.

Now the site says

Warning: require\_once(/home/corona/websites/domains/www.coronalabs.com/root/wp-load.php) [function.require-once]: failed to open stream: No such file or directory in /home/corona/websites/domains/www.coronalabs.com/root/wp-blog-header.php on line 12 Fatal error: require\_once() [function.require]: Failed opening required '/home/corona/websites/domains/www.coronalabs.com/root/wp-load.php' (include\_path='.:/usr/lib/php:/usr/local/lib/php') in /home/corona/websites/domains/www.coronalabs.com/root/wp-blog-header.php on line 12

Alex10 · June 3, 2014, 8:26pm

Website has been working for me for the past 15 minutes (downloading daily releases, filing bugs, posting to forum).

FearTec · June 3, 2014, 8:41pm

I have reported this to support@coronalabs.com (Case 33273)

http://coronalabs.com was down (have screenshots).

More worryingly a full site backup tar.gz file was viewable in the root folder and all folder contents were shown.

http://coronalabs.com and http://forums.coronalabs.com/ are linked in code (login bar etc) so I’d reset your password ASAP.

Simon

Alex10 · June 3, 2014, 8:55pm

Sounds good, just wanted to throw my experiences in there.

Just reset my password. I don’t want anyone making even worse apps than I do with my account.

FearTec · June 3, 2014, 9:13pm

Still talking to support about this, I just browsed to the site earlier to see what was new in corona before jumping onto the forums and what was exposed scared me. The site is back up but revealed security issues need fixing and the community informed.

I’d set a reminder to reset your password again in a few days too.

ojnab · June 3, 2014, 9:30pm

Warning: require_once(/home/corona/websites/domains/www.coronalabs.com/root/wp-load.php) [function.require-once]: failed to open stream: No such file or directory in /home/corona/websites/domains/www.coronalabs.com/root/wp-blog-header.php on line 12 Fatal error: require_once() [function.require]: Failed opening required ‘/home/corona/websites/domains/www.coronalabs.com/root/wp-load.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/corona/websites/domains/www.coronalabs.com/root/wp-blog-header.php on line 12

I can confirm this.

DavidRangel · June 3, 2014, 9:42pm

Hey guys - we did have a snafu with our www.coronalabs.com site. That is now fixed.

Just for the record, this site is completely separate from our developer.coronalabs.com site, which is where our build servers and user identities are. So there was no risk of leaking any passwords or any other funny business with our user accounts.

DavidRangel · June 3, 2014, 9:43pm

Final note on this from me: also, since these are separate sites, there was no build downtime and forums were always up. It was only our marketing site (www.coronalabs.com) on Wordpress that was down.

FearTec · June 3, 2014, 9:46pm

Replying here because no replies from the ticket?

So there was no code in any pages in the full site backup tar file that was in plain sight that could expose data now or in future from the leak?

Are all other identified issues secured (open folders, reset password forms, open ip dump?

DavidRangel · June 3, 2014, 9:52pm

We are in the process of doing a final eval, and we’ll post once that is done.

But, again, what was down was our marketing site (based on Wordpress) and is completely separate from our user databases and our build servers.

FearTec · June 3, 2014, 9:52pm

If all is well you would have no problems with me posting the links to the (non secure) publicly available files on your web server that were revealed (full site backup, scripts)?

FearTec · June 3, 2014, 9:55pm

Do you want a fresh set of eyes on the eval from my side of the server ( knowing what anyone else would have seen when the website files were exposed)?

No replies to support ticket in 50 minutes?

Alex10 · June 3, 2014, 9:56pm

FearTec · June 3, 2014, 10:00pm

If it was just gifs at stake I would not be worried.

Wordpress is great CMS but site backups that are publicly available are a gold mine for hackers who need more credentials to get more data I am afraid.

DavidRangel · June 3, 2014, 10:00pm

Ok - we are done checking into this. Nothing secret was exposed. We were doing a final check for our own Wordpress admin passwords (e.g., for blog), but that was not in there either.

Again - no Corona developer user info was exposed at all that is in a completely separate infrastructure.

Nothing to see here

FearTec · June 3, 2014, 10:07pm

> If all is well you would have no problems with me posting the links to the (non secure) publicly available files on your web server that were revealed (full site backup, scripts)?

I have informed support@ over an hour ago of exposed scripts?

FearTec · June 3, 2014, 10:48pm

Ahhhh, major issues remain, ill check back in 7 hours.

FearTec · June 4, 2014, 7:30am

You may want to .htaccess block directory listing on your site, loads still open.

Get your web admins to confirm every folder.

FearTec · June 4, 2014, 11:23am

David

Can I have Walters email?

I have a final bit to report (as it has been overlooked by support and the forums moderator). Please DM

DavidRangel · June 4, 2014, 4:51pm

Simon - feel free to email me: david AT coronalabs.