Warning - Porn links on Login

sterretje:
Below my settings; as can be seen. arduino.cc and ajax.googleapis.com are allowed.

How did you figure out that you needed to do that?

It's all very well to follow your advice in this specific case. But there are lots of other websites I want to use and I can't see how I can figure out the details for each of them without spending an awful lot of time on stuff that I am not really interested in and therefore know very little about.

...R

For all those who don't like "noscript" or similar there is a small step you can take (at least on chrome)

HERE is the direct link (safe link)

It requires no user intervention and stops some crud.

sterretje:
You did clear your browser cache?

It hasn't happened since clearing the browser cache, but we'll see.

I cleared the cache on my cellphone about two days ago and did not have the issue again. Forgot to clear the cache on my tablet and it still happened; cleared it about 8 hours ago and will see.

Reasonable confident that it's solved but I will provide feedback on github once I'm confident that it's solved or not (one or two days).

Not sure if this has been asked/answered in another thread but the Elephant in the room now must be to know how and when the site got hacked to add the re-direct scripts (more an admin thing) and what potential data was taken (things like email addresses, passwords & for arduino shop users payment details).
I personally would like to know if my details were lifted so to expect more spam or spear fishing attacks.

I think it's generally considered good form to do a public disclosure and post-mortem when something like this happens. How did the breach occur and to what extent? What was done to fix it? What is being done to make sure this never happens again? Apart from security concerns I'm sure we're all simply curious about the technical aspects. It seems like if Arduino is really about openness and community we deserve some explanation.

I've seen some major screw-ups turned for the positive before through this process. A recent one that comes to mind:
https://docs.google.com/document/d/1GCK53YDcBWQveod9kfzW-VCxIABGiryG7_z_6jHdVik/pub
This was not a hack but just a cascade of really bad decisions on the part of GitLab that led to interruption of service and loss of data. If you watched the conversation on Twitter, people were pretty upset and then as they can see the development team working hard to fix things (even a live video stream) and being completely open and honest about what they did wrong it really turned things around.

Quite a contrast to how things are run here where the lack of communication between management and the users leads to a lot of bad feelings, especially when something like this happens. The Arduino community is a huge part of what makes Arduino successful and this forum is the heart of that community. I think we deserve to be treated as part of the team rather than a necessary annoyance.

It is possible they are waiting to be sure the problem is fixed before making a statement but how hard is it really to give some progress updates? We're talking about a minute or two of typing.

pert:
but how hard is it really to give some progress updates? We're talking about a minute or two of typing.

Considering the guys have NEVER bothered to interact with their customers in the face of many requests to do so I suggest you don't hold your breath while waiting.

Unfortunately I don't think they would even notice a boycott of the Forum.

...R

Hi,

Here is what happened. A user (which we identified) used a breach on pmwiki, the wiki we used for our main arduino.cc site. Then he injected this malicious js in the header and footer of the editing website. When we automatically synced the editing website to the main website (this happens every time an editor changes something on the website) the malicious js got injected on arduino.cc.

Since our old infrastructure was still fetching data (header and footer) from arduino main website, all the other websites were infected.

The forum is one of them.

We fixed the effect of it a couple of days ago but until yesterday we did not found the hole.
Than looks like this is (not served by us) was served with a cache cookie telling the browser to keep it.

What was the attack?

The attack redirects to a website named traffic2bitcoin (not safe to look into it) where a user got payed if lands traffic over there, you get payed more if the user is redirected just once per day (this is why the error did not happen if you reloaded the page).

What data where got stolen?

Nothing, because that js that we inspected the first thing it does is a redirect and once you are out of arduino.cc domains you cannot read any data from the js. In addition we had a security mitigation not allowing untrusted js to read cookies where we store the session.

What is the fix?

We were already fixing this and other potential security issues with our brand new infrastructure. Now the header and footer of the homepage, blog, arduino.cc and the new store.arduino.cc and soon also the are all coming from a CDN and the code is not modifiable by anyone who do not have access to our backend administration panel and there are multiple steps of authorization and verification to access it + every code change is automatically tested and manually reviewed by one of our devs.

forum.arduino.cc does not have the new header, so is it safe?

Yes because the attack can work on pmwiki only, in addition we are rolling out the new header/footer to the forum as well.
You have to clear the cache because the js was cached. In general google-analytcs.ga is not owned by Google (I contacted them to avoid the copyright breach and to get back the domain) but is a malicious site.

Future plan!

It has been two years I am sitting at the IT chair in Arduino and I spent 80% of my time of fixing broken designed architecture. We are at 70% of the work. Still need to move away from pmwiki while 3 weeks ago we were able to update our blog backend and 2 days ago we completely renewed store.arduino.cc moving away from a very broken customized version of zencart.

There is still a lot to do and we know it.

Do you want a preview of the new more secure and robust single sign on system? Then go to https://auth.arduino.cc that is going to be our new standard login page.
All the changes I mentioned required months because all the systems were very tied together while now they are all modular and much simpler to maintain.

I personally do not really trust SFM code neither but I see a lot of moderators and users being against a migration to a more modern software so we have to deal with it and make SFM better.

Again thank you everyone for your help in identifying the issue. It was precious for us.

Luca

Thank you for the update Luca.

I do hope you have taken notice of the many requests for more active participation in this section of the Forum by your development people.

Please get your people to interact with your customers.

...R

@mastrolinux

Thank you for the public update I am sure others will appreciate it too.

Know how busy you are fighting fires in the back room.

Thanks for the insight mastrolinux.

A user (which we identified)

Who?

If you know their URL, is there a mechanism to report that URL for legal recourse?

.

I do not think disclosing the name publicly is a good idea. In addition I have to collect all the evidences and be 100% sire, now I am at 99%

I reported the url to the registrar for abuse. Let's see what happens.

Than you for fixing site problems, this is greatly appreciated.

However, on this forum, maybe next time your team could acknowledge sooner that a problem is being investigated.

Your users are worthy of information.

One more time, thank you!

.

LOL at the number of threads created on this subject. Hey, it helps resolve things if you put stuff in the same place! I've locked all the other ones I could find. :slight_smile:

travis_farmer:
I would like to chime in and say thank you as well. I know i spent a pretty good deal of time trying to catch the bug, and found it to be very frustrating. I am very glad it was located and fixed.

It did take a long time from my first flagging up the google.ga site here to something being done. :frowning:

It's taking a long time for me to get the NBN in my suburb. And after hearing recent reports from people who have it, I'm in no hurry.

Great explanation mastrolinux, thanks!

What data where got stolen?

Nothing, because that js that we inspected the first thing it does is a redirect and once you are out of arduino.cc domains you cannot read any data from the js. In addition we had a security mitigation not allowing untrusted js to read cookies where we store the session.

I have doubts about this.

  1. People have reported different issues, on different platforms. You might not have investigated each and every script that was used over time.
  2. Cookies are not the issue. A Javascript could have read the input field during typing, revealing the unhashed login data of a user.

The only responsible thing to say here is: "Yes, it was technically possible that login data was stolen. Change you passwords." But it also wasn't exactly responsible to let a compromised board online for so long.