Corona site down/hacked?

Solar2D General Questions/Discussion
#21

Nah, forget it, seriously considering dropping Corona development after this experience, The securing of the website was an absolute joke after all URL’s were exposed by server issues.  

> Hey guys - we did have a snafu with our www.coronalabs.com site. That is now fixed.

Saying the site was all fixed when it was not was a joke.

Who in their right mind stores a full site backup zip at the top structure of their website along with a full mercurial source control of their whole website along with dozens of admin scripts and error logs.

I see you have fixed most already but given the quality of the marketing server I have not faith in your developer or build server?

If I did not keep bugging your support and this forum I doubt the issues would have been fixed at all.

A Thanks would be nice.

#22

If I cancel my Corona pro subscription do I get a remaining time part refund?

#23

Downloading Xcode 6 beta and iOS 8 Beta, time to learn Swift and move on from Corona.

#24

Simon - I’m a little mystified by all of this, but of course you are free to adopt any tool you would like and we will wish you the best of luck. Unfortunately we do not give our partial refunds.

Just to recap the facts:

  1. We knew our Wordpress site had an issue yesterday, as soon as it happened - before any reports or incoming emails. It actually was caused by a specific human error, so we realized it right away.

  2. As soon as we realized we had an issue, we worked to solve it. It was pretty much all solved within 30 minutes or so. We tidied things up after that as necessary.

  3. Most importantly: this was only an issue with our marketing Wordpress site (WWW.coronalabs.com). This site has no access to user identities, build servers or other important pieces of our infrastructure (not even forum.coronalabs.com).

  4. Again, our forum, user database, build servers were never compromised in any way. What was exposed was the Wordpress content you can see anyway at www.coronalabs.com

  5. Once we got a handle on the situation, we quickly corrected it.

We really do appreciate your efforts in letting us know about the issue. It’s always helpful to have people in the community flag things and help out. We take security very seriously here - especially of anything having to do with our users’ info and our build servers.

Having said that, I’m not sure where else we can take this. Our front end marketing site has nothing to do with Corona’s capabilities as a tool or how well it works. 

If you want to discuss further, I am happy to do so. Just email me at david AT coronalabs.

David

#25

Can I say, “Don’t let the door hit your butt on the way out.” without it sounding antagonistic? Because that’s the way I mean it, just friendly-like. You took something minor and blew it up (in your own mind) to something significant. And because of that imaginary problem you’re going to switch to something where you won’t be nearly as productive.

 Jay

PS - I don’t care if someone switches away from Corona – but do it for a legit reason.

#26

> PS - I don’t care if someone switches away from Corona – but do it for a legit reason.

There were reasons why discussions moved to the forum.

Leaving is a pain for me but what was communicated/exposed scared me.

#27

Its funny because Apple got hacked a while back exposing all iTunes connect accounts and now you want to drop Corona SDK and move to Apple because of the lax security on the marketing web server. Don’t get it. Best of luck to you in your future endeavours.

#28

The fact that this wasn’t a ‘been hacked’ situation is good. Look at all the big companies that suffered recently due to the ‘heart bleed’ exploit. Even operating systems are hacked and exploited all the time.

This boils down to your sense of trust at the end of the day. If you do not accept any form of exploitation or exposure, then really you should never use a computer again :stuck_out_tongue:

This isn’t meant as a attack or insult towards anyone, just a light hearted look at the situation :slight_smile:

#29

Yep, tech is a double edged sword. No hard feelings, good luck everyone.

#30

Website has been working for me for the past 15 minutes (downloading daily releases, filing bugs, posting to forum).

#31

I have reported this to support@coronalabs.com (Case 33273)

http://coronalabs.com was down (have screenshots).

More worryingly a full site backup tar.gz file was viewable in the root folder and all folder contents were shown.

http://coronalabs.com and http://forums.coronalabs.com/ are linked in code (login bar etc) so I’d reset your password ASAP.

Simon

#32

Sounds good, just wanted to throw my experiences in there.

Just reset my password. I don’t want anyone making even worse apps than I do with my account.

Tdc2P1q.jpg

#33

Still talking to support about this, I just browsed to the site earlier to see what was new in corona before jumping onto the forums and what was exposed scared me.  The site is back up but revealed security issues need fixing and the community informed.

I’d set a reminder to reset your password again in a few days too.

#34

Warning: require_once(/home/corona/websites/domains/www.coronalabs.com/root/wp-load.php) [function.require-once]: failed to open stream: No such file or directory in /home/corona/websites/domains/www.coronalabs.com/root/wp-blog-header.php on line 12 Fatal error: require_once() [function.require]: Failed opening required ‘/home/corona/websites/domains/www.coronalabs.com/root/wp-load.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/corona/websites/domains/www.coronalabs.com/root/wp-blog-header.php on line 12

I can confirm this.

#35

Hey guys - we did have a snafu with our www.coronalabs.com site. That is now fixed.

Just for the record, this site is completely separate from our developer.coronalabs.com site, which is where our build servers and user identities are. So there was no risk of leaking any passwords or any other funny business with our user accounts.

#36

Final note on this from me: also, since these are separate sites, there was no build downtime and forums were always up. It was only our marketing site (www.coronalabs.com) on Wordpress that was down.

#37

Replying here because no replies from the ticket?

So there was no code in any pages in the full site backup tar file that was in plain sight that could expose data now or in future from the leak?

Are all other identified issues secured (open folders, reset password forms, open ip dump?

#38

We are in the process of doing a final eval, and we’ll post once that is done.

But, again, what was down was our marketing site (based on Wordpress) and is completely separate from our user databases and our build servers.

#39

If all is well you would have no problems with me posting the links to the (non secure) publicly available files on your web server that were revealed (full site backup, scripts)?

#40

Do you want a fresh set of eyes on the eval from my side of the server ( knowing what anyone else would have seen when the website files were exposed)?

No replies to support ticket in 50 minutes?