Hi,
Here is what happened. A user (which we identified) used a breach on pmwiki, the wiki we used for our main arduino.cc site. Then he injected this malicious js in the header and footer of the editing website. When we automatically synced the editing website to the main website (this happens every time an editor changes something on the website) the malicious js got injected on arduino.cc.
Since our old infrastructure was still fetching data (header and footer) from arduino main website, all the other websites were infected.
The forum is one of them.
We fixed the effect of it a couple of days ago but until yesterday we did not found the hole.
Than looks like this is (not served by us) was served with a cache cookie telling the browser to keep it.
What was the attack?
The attack redirects to a website named traffic2bitcoin (not safe to look into it) where a user got payed if lands traffic over there, you get payed more if the user is redirected just once per day (this is why the error did not happen if you reloaded the page).
What data where got stolen?
Nothing, because that js that we inspected the first thing it does is a redirect and once you are out of arduino.cc domains you cannot read any data from the js. In addition we had a security mitigation not allowing untrusted js to read cookies where we store the session.
What is the fix?
We were already fixing this and other potential security issues with our brand new infrastructure. Now the header and footer of the homepage, blog, arduino.cc and the new store.arduino.cc and soon also the are all coming from a CDN and the code is not modifiable by anyone who do not have access to our backend administration panel and there are multiple steps of authorization and verification to access it + every code change is automatically tested and manually reviewed by one of our devs.
forum.arduino.cc does not have the new header, so is it safe?
Yes because the attack can work on pmwiki only, in addition we are rolling out the new header/footer to the forum as well.
You have to clear the cache because the js was cached. In general google-analytcs.ga is not owned by Google (I contacted them to avoid the copyright breach and to get back the domain) but is a malicious site.
Future plan!
It has been two years I am sitting at the IT chair in Arduino and I spent 80% of my time of fixing broken designed architecture. We are at 70% of the work. Still need to move away from pmwiki while 3 weeks ago we were able to update our blog backend and 2 days ago we completely renewed store.arduino.cc moving away from a very broken customized version of zencart.
There is still a lot to do and we know it.
Do you want a preview of the new more secure and robust single sign on system? Then go to https://auth.arduino.cc that is going to be our new standard login page.
All the changes I mentioned required months because all the systems were very tied together while now they are all modular and much simpler to maintain.
I personally do not really trust SFM code neither but I see a lot of moderators and users being against a migration to a more modern software so we have to deal with it and make SFM better.
Again thank you everyone for your help in identifying the issue. It was precious for us.
Luca