[TYPO3-english] TYPO3.ORG hacked

Robert Lemke robert at typo3.org
Fri Nov 14 15:54:20 CET 2008 

Hi all,

it is of course very unfortunate that someone unauthorized was able to  
login
to typo3.org. I can't give an official statement or tell details about  
the
incident, but I'd like to share my personal perspective with you.

A general note: it doesn't matter much if a password is md5 hashed
or not - md5 is just a hash and not encryption. Nowadays it's relatively
easy to generate a password out of an md5 hash, especially if it is a  
weak
password with few characters and without special chars.

So if someone knows the md5 hash of your password, it's almost as if  
he knows
your password in plain text. Therefore what we really need is truly  
encrypted
passwords or, much better, a mechanism like OpenId. I know that a team  
is
currently working on improvements in that regard.

In general it is always a bad idea to use one password for several  
purposes.
And most people are also not aware of the fact that their passwords
can be sniffed during public events when using a shared WLAN with  
uncrypted
connections during login.

The main reason for many site hacks I know of were insecure passwords  
which
were used for many purposes or were easy to guess. The reason for  
typo3.org
being hacked is, as far as I know, not a security hole in TYPO3 itself  
but
rather the fact that someone got hold of a working login.

So, as it seems we got off lightly this time (though getting some bad  
publicity
now, of course) and I am very confident that the team behind typo3.org,
the TYPO3 core team and the security team will come up with a robust  
solution
which shows that we learned our lessons.

Let's learn from it and ... better check again if you have weak or  
shared passwords
still in use.

Best,
robert

Am 14.11.2008 um 14:54 schrieb ries van Twisk:

> Luc,
>
> from what understand from the mail "including their passwords",
> it shows that the passwords where stored as plain text and thus the
> hacker
> should have all our usernames and passwords.
>
> Ries
>
>
> On Nov 14, 2008, at 8:45 AM, Luc Muller wrote:
>
>> My question is : Are the FE password md5 hashed or something on
>> TYPO3.org
>>
>> This is the mail I got :
>>
>> -------------------------------------------------------
>>
>> This is an important security warning. You are receiving it because
>> your
>> email address is registered on the TYPO3.org website.
>>
>>
>>
>> We have to inform you that an unauthorized person has gained
>> administrative access to the TYPO3.org website.
>>
>>
>>
>> The offender had access to website user details including their
>> passwords, and there have been reports of this data being used to
>> access
>> other websites.
>>
>> It also has to be expected that the data may have been disclosed to
>> third parties.
>>
>>
>>
>> The attacker has been identified, and the TYPO3 Association has
>> started
>> to take legal action on the issue.
>>
>>
>>
>> Important!
>>
>> IF YOU HAVE USED THE SAME PASSWORD ON ANY OTHER SITE, PLEASE CHANGE  
>> IT
>> IMMEDIATELY!
>>
>>
>>
>> In a first step, all login accounts on TYPO3.org have been locked and
>> will require a new password. We are currently working on an improved
>> login procedure and will let you know when this is ready. Until then,
>> you will not be able to log into the Community section of TYPO3.org.
>>
>>
>>
>> We have set up an FAQ page at http://typo3.org/about/faq/t3org-issue/
>>
>> The page may be updated with new questions from time to time, so make
>> sure to check back before replying to this mail.
>>
>>
>>
>> We apologize for the inconveniences and troubles that this might  
>> cause
>> to you.
>>
>>
>>
>> TYPO3 Association
>>
>> -------------------------------------------------------
>>
>>
>> -- 
>>
>> *Luc Muller*
>> /Web Developper/
>> /Formidable - Rapid Application Developpement Framework for Typo3
>> <http://formidable.typo3.ug>/
>> /Typo3 Ameos <http://www.ameos.com>/
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>
>
>
> 			regards, Ries van Twisk
>
>
> -------------------------------------------------------------------------------------------------
> Ries van Twisk
> tags: Freelance TYPO3 Glassfish JasperReports JasperETL Flex Blaze-DS
> WebORB PostgreSQL DB-Architect
> email: ries at vantwisk.nl
> web:   http://www.rvantwisk.nl/
> skype: callto://r.vantwisk
>
>
>
>
>
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english

More information about the TYPO3-english mailing list