Flarum.org Security Breach - What it means for you

Ralkage

I came across the password reset page after not visiting the forum for a while, and I couldn't help but think, "Oh man, this can't be good!" 😅

I'm relieved that the team was able to further mitigate this attack and conduct a timely investigation, even though it stemmed from an unfortunate incident. It's disheartening how data and server breaches seem to be on the rise in recent years, and I'm somewhat skeptical about the long-term effectiveness of passwordless login initiatives, considering how easily the devices that support this security measure can become vulnerable themselves.

Nonetheless, thank you, team, for always being transparent about these sorts of incidents, as I feel it is critical to remain as such to effectively run a project at this scale.

Here's to the ongoing efforts of Flarum 2.0! Cheers! 🥂

katos

Ralkage Passwordless authentication is very much better. Certainly when compared to something like a username and password.

In an ideal world, authentication would be done using something like FIDO2, passing a device-bound token to the requester. This way even if the token was stolen and replayed, it doesn’t match the encrypted device hash.

I get the initial scepticism but with what companies like Microsoft are doing with the likes of token binding and CAE (continued access evaluation), we’re very much moving in the right direction!

CyberGene

Is there any conclusion about how this happened, is it a leaked password, SSH key, etc. or is it possible that the Flarum software itself might have a vulnerability that allowed the attackers to exploit it? Because the latter is much more worrying and could potentially affect all of us that use Flarum on our forums.

GreXXL

CyberGene see the reply from luceos about our conclusions so far. It's important to understand that the attack vector was our website (flarum.org) - not the discuss Forum. As there was an old DB backup on the server - as mentioned by tankerkiller125 we asked all users to change their password as a security measure.

katos

CyberGene we can categorically say that this was NOT a result of a vulnerability in Flarum software itself. Please see luceos reply.

With regards to our conclusions, we strongly believe that the ingress occurred due to a misconfiguration allowing password-based authentication to a user on the VM. Once this user was accessed, the files were dropped and the machine classified as compromised.

We at Flarum do not take security lightly, which is why our immediate response was to pull the files for analysis by myself and @tankerkiller125 and to rebuild the VM (affectionately known as “Nuke from orbit” or “NFO”).

In the rebuild of our server, we then ensured that password authentication is denied and forced the use of SSH keys (newly generated).
Then we moved towards a zero trust model to ensure that traffic is forced through Cloudflare and dropped if it does not originate from this trusted source.

I hope that this makes sense but I’m happy to answer any further questions!

DaleZ

The team is so responsible! Thank you a lot for hard-working!

tankerkiller125 if you're keyboard can enter chinese characters, use them, not ASCII

I never know the password can set to these😲

tankerkiller125

DaleZ A proper password field accepts any character you could possibly use or type, and hashes them. If/when you run into password inputs that restrict what you can type/use it means that they are probably storing your password in a bad, bad way.

DaleZ

tankerkiller125 Yep, lots of website in my country only support ASCII, so I even forget that.
Anyway, allow UTF-8 characters for password is much safer, thanks again. ❤️

Update: Though support, but can't input them directly, need paste into the field.

a-wild-tim-appears

Thanks for the honesty and the write-up 🙂

matteocontrini

Hello, one question: I understand that you couldn't find evidence of an actual data breach occuring, is that correct? Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

Plus, slightly related: is the privacy policy for Discuss the one published on Flarum.org? In that case I'm pretty sure it cannot be considered GDPR-compliant as it doesn't specify the legal basis for processing ("by using our site you consent..." is not legal AFAIK) and it doesn't specify nor provide a way to exercise privacy rights. Perhaps this could be an opportunity to revise that too.

Anyway, thanks for the details on the investigation, it's always helpful to see how people are handling security in real scenarios, especially from a more technical point of view.

luceos

matteocontrini I must confess I was looking into making the report and then a number of personal events took place that made it impossible for me to continue that. But you're right we need to file the report and improve our policies. Thanks for pointing this out.

katos

matteocontrini actually for a forum software such as Flarum then there is a given consent through usage however the wording does definitely need revision

Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

That said, I would look to adjust the wording of our policy to;

by REGISTERING for our site, you consent to…

We naturally process data (cookies, analytics, etc) for guest visitors, which would need properly documenting under the policies, and this is something that I will look to take internally and resolve.

Thank you for highlighting this and bringing it to our attention

luceos

matteocontrini Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

I forgot to ping back. But the report to the Dutch Autoriteit Persoonsgegevens was submitted on Wednesday at 7.24 PM CEST.

a-wild-tim-appears

luceos Hopefully everything works out okay for you 🙏

JeromeGillard

Bug: login with GitHub is not working anymore. Users created this way are jailed out.

I've registered to this forum via GitHub as external Identity Provider.

Prompting me to set a (new) password makes no sense. Avoiding local user/pass combination is the reason to leverage an external IdP.
As we can't skip the screen I've set a new password. OK I am logged in.
When I logout, I am asked for email and password. This does not make sense as I didn't provide any e-mail.
I could log in again only with the email I've used in GithHub and the new password I've set.
Login with GitHub is now broken (HTTP error 500).

tankerkiller125

JeromeGillard Prompting me to set a (new) password makes no sense. Avoiding local user/pass combination is the reason to leverage an external IdP.

During the creation of an IdP only user a random long password is generated, but never used for that user. Unfortunately at the time of the implementation, there was no forethought into tracking which users logged in using only IdP and which ones logged in with email and password, and switched to IdP at a later date. For this reason the password reset extension which was created specifically for this scenario can not tell the difference between users who use only IdP and the ones that use password and email.

This is why the password reset was required for everyone, including people who have never used email and password prior.

JeromeGillard When I logout, I am asked for email and password. This does not make sense as I didn't provide any e-mail.

This is the standard login page. Nothing new here, there should be a Github login below the email and password entry.

JeromeGillard Login with GitHub is now broken (HTTP error 500).

We will look into this issue.

luceos

JeromeGillard I've just tested this and can't seem to reproduce, is this issue still existing?

mekici

After reading this discussion, when I examined the files in the directory on my own flarum site, I noticed that there were two files named found and satisfiable in the main directory. If I remember correctly, there shouldn't be files with this name. Am I wrong?

KarlReza1

This is also one of the reason why I've created a bounty for passkey support
https://discuss.flarum.org/d/33647-bounty-25-passkey-extension

Of course, passkeys even if implemented won't fully solve the issues as right now almost all websites use passkeys only as option so of course, password leaks would render them useless and only as a means of convenience, but only after people get accustomed to passkeys can we transition to the next stage of mandatory passkey only logins with account reset via email codes.

tankerkiller125

m4v3rick If your intrested in a full length detailed view of how cracking passwords works (notably on Active Directory) I ended up publishing a full post on a new blog me and @katos ended up creating (because we both wanted to share more what we know in the IT space)

fragicide

Sadly, in this day and age, security breaches are becoming the norm. Sensitive information for almost everyone is already out there on the web due to previous breaches in other areas. As end-users, it's become more of an annoyance anymore than an emergency.

However, I do greatly appreciate your transparency, as well as informing us as to how you're going forward. I wish more companies would do the same, rather than just "here's your free year of credit monitoring". Great work, folks!

« Previous Page