After investigating unauthorized access to user data on central.owncloud.org, we were able to reconstruct the steps and eliminate the threat. Here’s what happened.
In 2012, hackers were able to gain unauthorized access to LinkedIn’s database and downloaded password hashes (SHA-1) from 6.5 million user accounts, (the password hashes became public in 2016).
Using a rainbow table, an attacker was able to guess login credentials of a user who used the same credentials for his GitHub account. Being able to login to the GitHub account, the attacker used the OAuth login to gain access to the forum account.
As an active member in the community and the ownCloud forum, the user’s account was a member of the forums admin group, which provided access to the forum’s administrative dashboard including the possibility to download backups.
But the attacker pushed it one step further
To add a security measure, direct downloads of backups are not possible. To download a full backup the forums‘ software Discourse sends out a download link to the accounts‘ email address which started the request.
Using the admin privileges of the compromised account, the attacker edited the forums email templates and forced the forum to send out a fake message stating that the forums backup job failed, in order to trick another administrative user and change his mail address.
Fake backup error phising mail
Based on this message the backup job was started manually by the ownCloud admin team to test and resolve the alleged error. After the backup was finished successfully, we assumed a minor hiccup was now resolved. Unfortunately, one of the recipients fell for the classic phising attack allowing the attacker to take over another administrative account. By changing the accounts‘ email address to a attackers‘ controlled one he succeeded in his attack and gained access to a fresh backup of the forums database.
After posting on the forum about his success, we immediately took the following action:
- Took the forum offline as a precautionary measure
- Reproduced the steps the intruder took (he was very cautious and skilled using the Tor-network to blur any trace of his activity)
- Limited access to forum admins
- Updated the forums software to the latest version (only a minor update but still)
- Informed all users via email and social media about the breach with recommended steps that they should take
No harm done
At the time of writing, ownCloud is in contact with the attacker who made it clear that he has no intention of using the leaked data. We evaluated all technical and legal steps and took every possible step to prevent any further damage. In cooperation with legal counsel, extended security teams and the attacker himself we can assure that the leaked data was not published to the public and was and will not be used in any way.
Oh, and of course, a big note: i clearly don’t want to release that [the leaked database backup]. I’ve already deleted the discourse backup (the main challenge was done: get it. keep it profits me nothing)intruders message to ownCloud
This article was written in cooperation with the attacker who wants to stay anonymous.
What did we learn from this?
ownCloud’s security measures were and are working, and the software was backed up and is fully up-to-date. The unauthorized access was possible due to human vulnerability and a very skilled approach. We were assured that the leaked data was not used in any way and has already been deleted.
The biggest lesson to everyone should be, that we cannot be too careful about securing online login credentials. Based on our conversation with him, ownCloud is not pressing any charges and is working on a security awareness story with him, to engage users to improve their security.
Topics will be 2-factor authentication, password managers and how to generate strong passwords. Stay tuned and follow us on social media to be notified about further information.
