After investigating unauthorized access to user data on central.owncloud.org, we were able to reconstruct the steps and eliminate the threat. Here’s what happened.
In 2012, hackers were able to gain unauthorized access to LinkedIn’s database and downloaded password hashes (SHA-1) from 6.5 million user accounts, (the password hashes became public in 2016).
Using a rainbow table, an attacker was able to guess login credentials of a user who used the same credentials for his GitHub account. Being able to login to the GitHub account, the attacker used the OAuth login to gain access to the forum account.
As an active member in the community and the ownCloud forum, the user’s account was a member of the forums admin group, which provided access to the forum’s administrative dashboard including the possibility to download backups.
To add a security measure, direct downloads of backups are not possible. To download a full backup the forums’ software Discourse sends out a download link to the accounts’ email address which started the request.
Using the admin privileges of the compromised account, the attacker edited the forums email templates and forced the forum to send out a fake message stating that the forums backup job failed, in order to trick another administrative user and change his mail address.
Based on this message the backup job was started manually by the ownCloud admin team to test and resolve the alleged error. After the backup was finished successfully, we assumed a minor hiccup was now resolved. Unfortunately, one of the recipients fell for the classic phising attack allowing the attacker to takeover another administrative account. By changing the accounts’ email address to a attackers’ controlled one he succeeded in his attack and gained access to a fresh backup of the forums database.
After posting on the forum about his success, we immediately took the following action:
At the time of writing, ownCloud is in contact with the attacker who made it clear that he has no intention of using the leaked data. He also said:
Oh, and of course, a big note: i clearly don’t want to release that [the leaked database backup]. I’ve already deleted the discourse backup (the main challenge was done: get it. keep it profits me nothing)intruders message to ownCloud
ownCloud’s security measures were and are working, and the software was backed up and is fully up-to-date. The unauthorized access was possible due to human vulnerability and a very skilled approach. We were assured that the leaked data was not used in any way and has already been deleted.
The biggest lesson to everyone should be, that we cannot be too careful about securing online login credentials. Based on our conversation with him, ownCloud is not pressing any charges and is working on a security awareness story with him, to engage users to improve their security.
Topics will be 2-factor authentication, password managers and how to generate strong passwords. Stay tuned and follow us on social media to be notified about further information.
Stay tuned and follow us on social media to be notified about further information.
The article ownCloud forum hack: Why password security is more important than ever was published on ownCloud.