Flarum.org Security Breach - What it means for you

luceos

hrvoje_hr Is there any possibility that vulnerability came from the Flarum source code?

No. We have no evidence to suggest that, in addition discuss isn't using any extensions that allow interaction with the filesystem or server. Not even fof upload is installed.

GreXXL

CyberGene see the reply from luceos about our conclusions so far. It's important to understand that the attack vector was our website (flarum.org) - not the discuss Forum. As there was an old DB backup on the server - as mentioned by tankerkiller125 we asked all users to change their password as a security measure.

katos

CyberGene we can categorically say that this was NOT a result of a vulnerability in Flarum software itself. Please see luceos reply.

With regards to our conclusions, we strongly believe that the ingress occurred due to a misconfiguration allowing password-based authentication to a user on the VM. Once this user was accessed, the files were dropped and the machine classified as compromised.

We at Flarum do not take security lightly, which is why our immediate response was to pull the files for analysis by myself and @tankerkiller125 and to rebuild the VM (affectionately known as “Nuke from orbit” or “NFO”).

In the rebuild of our server, we then ensured that password authentication is denied and forced the use of SSH keys (newly generated).
Then we moved towards a zero trust model to ensure that traffic is forced through Cloudflare and dropped if it does not originate from this trusted source.

I hope that this makes sense but I’m happy to answer any further questions!

Wadera

luceos We have no evidence to suggest that

First, I want to express my sincere thanks for the comprehensive report on the recent security breach. Your transparency and dedication to safeguarding our forum are truly commendable.

I have a few technical questions that I couldn't find answers to in the report, and I'm hoping to gain some more insights:

Sources of the Breach: Are there any suspected or confirmed sources of the breach? Understanding the origin is crucial for developing effective prevention strategies.

Flarum Engine Security: Given that Flarum engine has been cleared as the vulnerability point, could you provide insights into how the attackers might have accessed the host system? Is there a possibility that a developer's credentials were compromised, or are we looking at an internal job by an untrusted developer?

Confidence in Flarum's Security: If the exact source of the breach is still unknown, how can we be confident that the Flarum source code remains secure? Clarification on this would be immensely helpful.

I believe having answers to these questions will not only help in reinforcing our forum's security but also assist in keeping the community informed and vigilant.

peopleinside

Thanks. Flarum allow an administrator to ask all user to reset passwords or you use a code, command a doc for just flarum,org?

GreXXL

peopleinside is an extension created for the specific use case. (https://extiverse.com/extension/sycho/flarum-force-password-reset)

peopleinside

GreXXL nice, this can be useful 🙂

m4v3rick

tankerkiller125

Thanks for the insights. Would love to read more from you every now and then. Do you have a blog about these topics by chance?

tankerkiller125

m4v3rick I rarely if ever post, but I do have a blog over on https://kilgore.dev (note email is currently broken as hell on on it so the subscribe thing doesn't work)

tankerkiller125

m4v3rick If your intrested in a full length detailed view of how cracking passwords works (notably on Active Directory) I ended up publishing a full post on a new blog me and @katos ended up creating (because we both wanted to share more what we know in the IT space)

Ralkage

I came across the password reset page after not visiting the forum for a while, and I couldn't help but think, "Oh man, this can't be good!" 😅

I'm relieved that the team was able to further mitigate this attack and conduct a timely investigation, even though it stemmed from an unfortunate incident. It's disheartening how data and server breaches seem to be on the rise in recent years, and I'm somewhat skeptical about the long-term effectiveness of passwordless login initiatives, considering how easily the devices that support this security measure can become vulnerable themselves.

Nonetheless, thank you, team, for always being transparent about these sorts of incidents, as I feel it is critical to remain as such to effectively run a project at this scale.

Here's to the ongoing efforts of Flarum 2.0! Cheers! 🥂

katos

Ralkage Passwordless authentication is very much better. Certainly when compared to something like a username and password.

In an ideal world, authentication would be done using something like FIDO2, passing a device-bound token to the requester. This way even if the token was stolen and replayed, it doesn’t match the encrypted device hash.

I get the initial scepticism but with what companies like Microsoft are doing with the likes of token binding and CAE (continued access evaluation), we’re very much moving in the right direction!

CyberGene

Is there any conclusion about how this happened, is it a leaked password, SSH key, etc. or is it possible that the Flarum software itself might have a vulnerability that allowed the attackers to exploit it? Because the latter is much more worrying and could potentially affect all of us that use Flarum on our forums.

DaleZ

The team is so responsible! Thank you a lot for hard-working!

tankerkiller125 if you're keyboard can enter chinese characters, use them, not ASCII

I never know the password can set to these😲

tankerkiller125

DaleZ A proper password field accepts any character you could possibly use or type, and hashes them. If/when you run into password inputs that restrict what you can type/use it means that they are probably storing your password in a bad, bad way.

DaleZ

tankerkiller125 Yep, lots of website in my country only support ASCII, so I even forget that.
Anyway, allow UTF-8 characters for password is much safer, thanks again. ❤️

Update: Though support, but can't input them directly, need paste into the field.

a-wild-tim-appears

Thanks for the honesty and the write-up 🙂

matteocontrini

Hello, one question: I understand that you couldn't find evidence of an actual data breach occuring, is that correct? Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

Plus, slightly related: is the privacy policy for Discuss the one published on Flarum.org? In that case I'm pretty sure it cannot be considered GDPR-compliant as it doesn't specify the legal basis for processing ("by using our site you consent..." is not legal AFAIK) and it doesn't specify nor provide a way to exercise privacy rights. Perhaps this could be an opportunity to revise that too.

Anyway, thanks for the details on the investigation, it's always helpful to see how people are handling security in real scenarios, especially from a more technical point of view.

luceos

matteocontrini I must confess I was looking into making the report and then a number of personal events took place that made it impossible for me to continue that. But you're right we need to file the report and improve our policies. Thanks for pointing this out.

katos

matteocontrini actually for a forum software such as Flarum then there is a given consent through usage however the wording does definitely need revision

Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

That said, I would look to adjust the wording of our policy to;

by REGISTERING for our site, you consent to…

We naturally process data (cookies, analytics, etc) for guest visitors, which would need properly documenting under the policies, and this is something that I will look to take internally and resolve.

Thank you for highlighting this and bringing it to our attention

luceos

matteocontrini Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

I forgot to ping back. But the report to the Dutch Autoriteit Persoonsgegevens was submitted on Wednesday at 7.24 PM CEST.

a-wild-tim-appears

luceos Hopefully everything works out okay for you 🙏

JeromeGillard

Bug: login with GitHub is not working anymore. Users created this way are jailed out.

I've registered to this forum via GitHub as external Identity Provider.

Prompting me to set a (new) password makes no sense. Avoiding local user/pass combination is the reason to leverage an external IdP.
As we can't skip the screen I've set a new password. OK I am logged in.
When I logout, I am asked for email and password. This does not make sense as I didn't provide any e-mail.
I could log in again only with the email I've used in GithHub and the new password I've set.
Login with GitHub is now broken (HTTP error 500).

tankerkiller125

JeromeGillard Prompting me to set a (new) password makes no sense. Avoiding local user/pass combination is the reason to leverage an external IdP.

During the creation of an IdP only user a random long password is generated, but never used for that user. Unfortunately at the time of the implementation, there was no forethought into tracking which users logged in using only IdP and which ones logged in with email and password, and switched to IdP at a later date. For this reason the password reset extension which was created specifically for this scenario can not tell the difference between users who use only IdP and the ones that use password and email.

This is why the password reset was required for everyone, including people who have never used email and password prior.

JeromeGillard When I logout, I am asked for email and password. This does not make sense as I didn't provide any e-mail.

This is the standard login page. Nothing new here, there should be a Github login below the email and password entry.

JeromeGillard Login with GitHub is now broken (HTTP error 500).

We will look into this issue.

luceos

JeromeGillard I've just tested this and can't seem to reproduce, is this issue still existing?