Flarum.org Security Breach - What it means for you

GreXXL

CyberGene see the reply from luceos about our conclusions so far. It's important to understand that the attack vector was our website (flarum.org) - not the discuss Forum. As there was an old DB backup on the server - as mentioned by tankerkiller125 we asked all users to change their password as a security measure.

katos

CyberGene we can categorically say that this was NOT a result of a vulnerability in Flarum software itself. Please see luceos reply.

With regards to our conclusions, we strongly believe that the ingress occurred due to a misconfiguration allowing password-based authentication to a user on the VM. Once this user was accessed, the files were dropped and the machine classified as compromised.

We at Flarum do not take security lightly, which is why our immediate response was to pull the files for analysis by myself and @tankerkiller125 and to rebuild the VM (affectionately known as “Nuke from orbit” or “NFO”).

In the rebuild of our server, we then ensured that password authentication is denied and forced the use of SSH keys (newly generated).
Then we moved towards a zero trust model to ensure that traffic is forced through Cloudflare and dropped if it does not originate from this trusted source.

I hope that this makes sense but I’m happy to answer any further questions!

DaleZ

The team is so responsible! Thank you a lot for hard-working!

tankerkiller125 if you're keyboard can enter chinese characters, use them, not ASCII

I never know the password can set to these😲

tankerkiller125

DaleZ A proper password field accepts any character you could possibly use or type, and hashes them. If/when you run into password inputs that restrict what you can type/use it means that they are probably storing your password in a bad, bad way.

DaleZ

tankerkiller125 Yep, lots of website in my country only support ASCII, so I even forget that.
Anyway, allow UTF-8 characters for password is much safer, thanks again. ❤️

Update: Though support, but can't input them directly, need paste into the field.

a-wild-tim-appears

Thanks for the honesty and the write-up 🙂

matteocontrini

Hello, one question: I understand that you couldn't find evidence of an actual data breach occuring, is that correct? Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

Plus, slightly related: is the privacy policy for Discuss the one published on Flarum.org? In that case I'm pretty sure it cannot be considered GDPR-compliant as it doesn't specify the legal basis for processing ("by using our site you consent..." is not legal AFAIK) and it doesn't specify nor provide a way to exercise privacy rights. Perhaps this could be an opportunity to revise that too.

Anyway, thanks for the details on the investigation, it's always helpful to see how people are handling security in real scenarios, especially from a more technical point of view.

luceos

matteocontrini I must confess I was looking into making the report and then a number of personal events took place that made it impossible for me to continue that. But you're right we need to file the report and improve our policies. Thanks for pointing this out.

katos

matteocontrini actually for a forum software such as Flarum then there is a given consent through usage however the wording does definitely need revision

Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

That said, I would look to adjust the wording of our policy to;

by REGISTERING for our site, you consent to…

We naturally process data (cookies, analytics, etc) for guest visitors, which would need properly documenting under the policies, and this is something that I will look to take internally and resolve.

Thank you for highlighting this and bringing it to our attention

luceos

matteocontrini Did you decide to proceed anyway to report a potential data breach to your local privacy authority?

I forgot to ping back. But the report to the Dutch Autoriteit Persoonsgegevens was submitted on Wednesday at 7.24 PM CEST.

a-wild-tim-appears

luceos Hopefully everything works out okay for you 🙏

JeromeGillard

Bug: login with GitHub is not working anymore. Users created this way are jailed out.

I've registered to this forum via GitHub as external Identity Provider.

Prompting me to set a (new) password makes no sense. Avoiding local user/pass combination is the reason to leverage an external IdP.
As we can't skip the screen I've set a new password. OK I am logged in.
When I logout, I am asked for email and password. This does not make sense as I didn't provide any e-mail.
I could log in again only with the email I've used in GithHub and the new password I've set.
Login with GitHub is now broken (HTTP error 500).

tankerkiller125

JeromeGillard Prompting me to set a (new) password makes no sense. Avoiding local user/pass combination is the reason to leverage an external IdP.

During the creation of an IdP only user a random long password is generated, but never used for that user. Unfortunately at the time of the implementation, there was no forethought into tracking which users logged in using only IdP and which ones logged in with email and password, and switched to IdP at a later date. For this reason the password reset extension which was created specifically for this scenario can not tell the difference between users who use only IdP and the ones that use password and email.

This is why the password reset was required for everyone, including people who have never used email and password prior.

JeromeGillard When I logout, I am asked for email and password. This does not make sense as I didn't provide any e-mail.

This is the standard login page. Nothing new here, there should be a Github login below the email and password entry.

JeromeGillard Login with GitHub is now broken (HTTP error 500).

We will look into this issue.

luceos

JeromeGillard I've just tested this and can't seem to reproduce, is this issue still existing?

mekici

After reading this discussion, when I examined the files in the directory on my own flarum site, I noticed that there were two files named found and satisfiable in the main directory. If I remember correctly, there shouldn't be files with this name. Am I wrong?

KarlReza1

This is also one of the reason why I've created a bounty for passkey support
https://discuss.flarum.org/d/33647-bounty-25-passkey-extension

Of course, passkeys even if implemented won't fully solve the issues as right now almost all websites use passkeys only as option so of course, password leaks would render them useless and only as a means of convenience, but only after people get accustomed to passkeys can we transition to the next stage of mandatory passkey only logins with account reset via email codes.

tankerkiller125

m4v3rick If your intrested in a full length detailed view of how cracking passwords works (notably on Active Directory) I ended up publishing a full post on a new blog me and @katos ended up creating (because we both wanted to share more what we know in the IT space)

fragicide

Sadly, in this day and age, security breaches are becoming the norm. Sensitive information for almost everyone is already out there on the web due to previous breaches in other areas. As end-users, it's become more of an annoyance anymore than an emergency.

However, I do greatly appreciate your transparency, as well as informing us as to how you're going forward. I wish more companies would do the same, rather than just "here's your free year of credit monitoring". Great work, folks!

Wadera

luceos We have no evidence to suggest that

First, I want to express my sincere thanks for the comprehensive report on the recent security breach. Your transparency and dedication to safeguarding our forum are truly commendable.

I have a few technical questions that I couldn't find answers to in the report, and I'm hoping to gain some more insights:

Sources of the Breach: Are there any suspected or confirmed sources of the breach? Understanding the origin is crucial for developing effective prevention strategies.

Flarum Engine Security: Given that Flarum engine has been cleared as the vulnerability point, could you provide insights into how the attackers might have accessed the host system? Is there a possibility that a developer's credentials were compromised, or are we looking at an internal job by an untrusted developer?

Confidence in Flarum's Security: If the exact source of the breach is still unknown, how can we be confident that the Flarum source code remains secure? Clarification on this would be immensely helpful.

I believe having answers to these questions will not only help in reinforcing our forum's security but also assist in keeping the community informed and vigilant.

katos

Wadera hi Wadera!

Allow me to answer your concerns:

Sources of the Breach: Are there any suspected or confirmed sources of the breach? Understanding the origin is crucial for developing effective prevention strategies.

It would be extremely difficult to pinpoint the exact source in terms of country or threat actor, however our evidence suggests that this is a lone actor who managed to successfully brute force the SSH on the host VPS to gain access to the device.

Our VPS is segregated by design, with a least access principle in play, however we regrettably made a mistake which allowed password-based remote SSH to be available. In the rebuild of our entirely new VPS (which we now run off) this issue was resolved and we’re very much moving to a zero-trust model to lock this down further.

In short, the source of compromise was IN NO WAY related to Flarum or its source code, but was due to a misconfiguration of the host itself.

Flarum Engine Security: Given that Flarum engine has been cleared as the vulnerability point, could you provide insights into how the attackers might have accessed the host system? Is there a possibility that a developer's credentials were compromised, or are we looking at an internal job by an untrusted developer?

As above, the source was due to a successful brute force of a misconfigured SSH allowing remote password-based authentication.
In terms of mitigations, we no longer allow SSH authentication by password (relying on strong encryption keys instead) whilst also layering on;

IP bans on unsuccessful authentication
Firewall checking of all events
System event logging to a remote server to allow for SIEM based monitoring
(in progress) migration to ZTNA to enforce SSH teaffic through Cloudflare, which will be logged, audited and restricted by key operational managers within the Flarum team.

Confidence in Flarum's Security: If the exact source of the breach is still unknown, how can we be confident that the Flarum source code remains secure? Clarification on this would be immensely helpful.

We understand that security events of any nature are inherently disheartening and a great cause for concern, rest assured that the Flarum team remain highly committed to our security standing as evidenced by our use of crowdsourced bug bounties, as well as a planned security audit for our code base as we move to 2.0 and beyond.

This was already in place, but is now better scoped (and we will be planning repeated security audits going forwards).

tankerkiller125

katos (in progress) migration to ZTNA to enforce SSH teaffic through Cloudflare, which will be logged, audited and restricted by key operational managers within the Flarum team.

And update on this particular point of intrest.

This migration has been completed, and now for all intents and purposes the new Flarum host can't be accessed at all by the general public internet, and instead all connections go through our ZTNA provider (yes, even the connections to the Forum, marketing site, etc.)

Wadera

Great. That's what I hoped for to hear. Thank you very much for confirmation and clarification ❤

luceos

Wadera as part of our NLnet fund participation, we will also be able to get a third party security audit done once 2.0 is in considerable shape. I'm very thrilled this is an added benefit and I can't wait to get to that point and make Flarum even better for everyone.

« Previous Page