Flarum.org Security Breach - What it means for you

hrvoje_hr

Appreciate you're this open about this. Is there any possibility that vulnerability came from the Flarum source code?

Also, about passwords. How complicated for someone malicious would be to rehash passwords from the database?

tankerkiller125

hrvoje_hr Also, about passwords. How complicated for someone malicious would be to rehash passwords from the database?

Hashcat has a built in BCrypt hashing, which means that it's actually incredibly simple to do, the hard part is the hardware requirements, and knowledge of how hashcat works.

For some context, as part of security where I work I (because I'm the only IT guy) download the password hashes of all of our employees, and then bruteforce those hashes use two methods.

The first method is a wordlist, basically I have a large list of previously breached passwords, combined with sports teams, city names, popular first and last names, etc. and hashcat uses that wordlist to combine words, and try every combination of replacing letters with numbers, etc.

Using this first method, the first time we did this, I was able to breach around 15% of passwords, and it took just under 8 hours on an i7 12th Gen Laptop processor.

The second method is straight up brute force, still using hashcat, in which I was able to break an additional 4% of passwords in just under a month. But importantly again, this on my work laptop, and it hadn't even finished with 9 character passwords.

If I had a GPU rig (like the ones they use for crypto mining) I could have broken A LOT more user passwords. A recent security conference I went to had a talk on this exact subject, and the speaker suggested that using about $800 worth of hardware you can crack every password shorter than 16 characters in just under a year.

I don't want to alarm anyone, far from it, however short, weak passwords are easily breakable when an attacker can directly attack the hash, without any form of rate limiting.

For that reason, you should either use a password manager to generate random, long (20+ character) passwords, or if you are going to remember the password, use a passphrase with multiple words (preferably rarer ones), numbers, symbols, lowercase, uppercase, and if you can, native characters (in other words, if you're keyboard can enter chinese characters, use them, not ASCII). Or if the website allows it, use a Passkey (hardware token) for sign in.

Password cracking becomes exponentially harder for every character added. So if you assume a standard keyboard layout, and we assume that 27 keys can't be used (like enter, F-Row, etc.) that leaves us with 74 * 2 (because shift key) or 148. So to crack a 1 character password it takes 148 guesses, for 2 character passwords it takes 148² guesses (21,904), etc.

luceos

hrvoje_hr Is there any possibility that vulnerability came from the Flarum source code?

No. We have no evidence to suggest that, in addition discuss isn't using any extensions that allow interaction with the filesystem or server. Not even fof upload is installed.

m4v3rick

tankerkiller125

Thanks for the insights. Would love to read more from you every now and then. Do you have a blog about these topics by chance?

DaleZ

The team is so responsible! Thank you a lot for hard-working!

tankerkiller125 if you're keyboard can enter chinese characters, use them, not ASCII

I never know the password can set to these😲

GreXXL

CyberGene see the reply from luceos about our conclusions so far. It's important to understand that the attack vector was our website (flarum.org) - not the discuss Forum. As there was an old DB backup on the server - as mentioned by tankerkiller125 we asked all users to change their password as a security measure.

katos

CyberGene we can categorically say that this was NOT a result of a vulnerability in Flarum software itself. Please see luceos reply.

With regards to our conclusions, we strongly believe that the ingress occurred due to a misconfiguration allowing password-based authentication to a user on the VM. Once this user was accessed, the files were dropped and the machine classified as compromised.

We at Flarum do not take security lightly, which is why our immediate response was to pull the files for analysis by myself and @tankerkiller125 and to rebuild the VM (affectionately known as “Nuke from orbit” or “NFO”).

In the rebuild of our server, we then ensured that password authentication is denied and forced the use of SSH keys (newly generated).
Then we moved towards a zero trust model to ensure that traffic is forced through Cloudflare and dropped if it does not originate from this trusted source.

I hope that this makes sense but I’m happy to answer any further questions!

Wadera

luceos We have no evidence to suggest that

First, I want to express my sincere thanks for the comprehensive report on the recent security breach. Your transparency and dedication to safeguarding our forum are truly commendable.

I have a few technical questions that I couldn't find answers to in the report, and I'm hoping to gain some more insights:

Sources of the Breach: Are there any suspected or confirmed sources of the breach? Understanding the origin is crucial for developing effective prevention strategies.

Flarum Engine Security: Given that Flarum engine has been cleared as the vulnerability point, could you provide insights into how the attackers might have accessed the host system? Is there a possibility that a developer's credentials were compromised, or are we looking at an internal job by an untrusted developer?

Confidence in Flarum's Security: If the exact source of the breach is still unknown, how can we be confident that the Flarum source code remains secure? Clarification on this would be immensely helpful.

I believe having answers to these questions will not only help in reinforcing our forum's security but also assist in keeping the community informed and vigilant.

peopleinside

Thanks. Flarum allow an administrator to ask all user to reset passwords or you use a code, command a doc for just flarum,org?

GreXXL

peopleinside is an extension created for the specific use case. (https://extiverse.com/extension/sycho/flarum-force-password-reset)

peopleinside

GreXXL nice, this can be useful 🙂

tankerkiller125

m4v3rick I rarely if ever post, but I do have a blog over on https://kilgore.dev (note email is currently broken as hell on on it so the subscribe thing doesn't work)

tankerkiller125

m4v3rick If your intrested in a full length detailed view of how cracking passwords works (notably on Active Directory) I ended up publishing a full post on a new blog me and @katos ended up creating (because we both wanted to share more what we know in the IT space)

Ralkage

I came across the password reset page after not visiting the forum for a while, and I couldn't help but think, "Oh man, this can't be good!" 😅

I'm relieved that the team was able to further mitigate this attack and conduct a timely investigation, even though it stemmed from an unfortunate incident. It's disheartening how data and server breaches seem to be on the rise in recent years, and I'm somewhat skeptical about the long-term effectiveness of passwordless login initiatives, considering how easily the devices that support this security measure can become vulnerable themselves.

Nonetheless, thank you, team, for always being transparent about these sorts of incidents, as I feel it is critical to remain as such to effectively run a project at this scale.

Here's to the ongoing efforts of Flarum 2.0! Cheers! 🥂

katos

Ralkage Passwordless authentication is very much better. Certainly when compared to something like a username and password.

In an ideal world, authentication would be done using something like FIDO2, passing a device-bound token to the requester. This way even if the token was stolen and replayed, it doesn’t match the encrypted device hash.

I get the initial scepticism but with what companies like Microsoft are doing with the likes of token binding and CAE (continued access evaluation), we’re very much moving in the right direction!

CyberGene

Is there any conclusion about how this happened, is it a leaked password, SSH key, etc. or is it possible that the Flarum software itself might have a vulnerability that allowed the attackers to exploit it? Because the latter is much more worrying and could potentially affect all of us that use Flarum on our forums.

tankerkiller125

DaleZ A proper password field accepts any character you could possibly use or type, and hashes them. If/when you run into password inputs that restrict what you can type/use it means that they are probably storing your password in a bad, bad way.

DaleZ

tankerkiller125 Yep, lots of website in my country only support ASCII, so I even forget that.
Anyway, allow UTF-8 characters for password is much safer, thanks again. ❤️

Update: Though support, but can't input them directly, need paste into the field.

a-wild-tim-appears

Thanks for the honesty and the write-up 🙂

matteocontrini

Hello, one question: I understand that you couldn't find evidence of an actual data breach occuring, is that correct? Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

Plus, slightly related: is the privacy policy for Discuss the one published on Flarum.org? In that case I'm pretty sure it cannot be considered GDPR-compliant as it doesn't specify the legal basis for processing ("by using our site you consent..." is not legal AFAIK) and it doesn't specify nor provide a way to exercise privacy rights. Perhaps this could be an opportunity to revise that too.

Anyway, thanks for the details on the investigation, it's always helpful to see how people are handling security in real scenarios, especially from a more technical point of view.

luceos

matteocontrini I must confess I was looking into making the report and then a number of personal events took place that made it impossible for me to continue that. But you're right we need to file the report and improve our policies. Thanks for pointing this out.

katos

matteocontrini actually for a forum software such as Flarum then there is a given consent through usage however the wording does definitely need revision

Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

That said, I would look to adjust the wording of our policy to;

by REGISTERING for our site, you consent to…

We naturally process data (cookies, analytics, etc) for guest visitors, which would need properly documenting under the policies, and this is something that I will look to take internally and resolve.

Thank you for highlighting this and bringing it to our attention

luceos

matteocontrini Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

I forgot to ping back. But the report to the Dutch Autoriteit Persoonsgegevens was submitted on Wednesday at 7.24 PM CEST.