blogger gets hacked
October 25, 2002
Post-Hack Update
Blogger's completely back up, including bStats and the API. It seems (again, I don't work for Pyra, but I've had information confirmed by Ev) that the vulnerability was was really only severe during the hour or so that Blogger was running while hacked. During that time, it was possible, if you knew another user's login name, to use the "hacxoredbyme" password and post and publish with any other user's account.
It does not seem, at any time, that anyone, including the hacker, could read the server passwords in the system. In technical parlance, the intruder had "update" privileges on the system that stored less sensitive information like the public URL of the site, but no "select" privileges on any database, including the separate one that stores sensitive things like users' server login name and password.
In short, (s)he couldn't even read the database that was screwed up, let alone the other one that had sensitive data.
All of this is information that I'm not 100% positive is correct, but that I'm willing to stand behind as probably right. There are hacks that are so well-engineered that a visible hack like the one I reported on yesterday is all a diversion from some other activities that are masked by the part that gets attention. Neither the Pyra folks nor I (for what that's worth, I'm no expert on this part of it) think this intruder was that sophisticated.
Blogger is, now, at exactly the same security level it was two days ago, minus the vulnerability that caused this hack. Your sensitive information (by that, I don't mean things like your public URL) is no more or less vulnerable than it's always been. You can use your feelings about that to decide what information, if any, you should change regarding your server, and whether you want to use Blogger's feature that lets you store your password.
For all the Slashdot readers who were revelling at Blogger's misfortune because the blogger.com domain runs on Microsoft's IIS: the server database which was compromised was attacked through a known, but unpatched, vulnerability on the operating system on which it was running. That operating system is Red Hat Linux, proving once again that the keys to security are meticulous discipline in keeping updated on information, removing unnecessary services, and designing and launching applications with security in mind.
Finally, Ev told me that he intends to be more proactive in communicating with customers in the future. I think that's the best thing he can do to restore trust in his company and product.
Original announcement
Any of you who use Blogger will want to log in right now (if you can) and delete your server information and passwords. It looks like a hack is in progress that first switched many users' passwords or server information to "hacx0redbyme" or "hax0redbyme" and is now prohibiting lots of users from logging in. Tom pointed the problem out to me, and at that point it was mostly Pro users having problems, although it seems to be everyone now.
Update: Blogger's now offline, and the problem's being worked on.
Some Lessons
I wanted to address some of the concerns people have brought up about its security. Some have suggested that this is an issue because of the design of Blogger's service, and that decentralization is the solution. I think we've seen that decentralization isn't necessarily a panacea. (Greymatter had a serious security hole; Installations of Outlook and Exchange are decentralized.) The greater issue is reliability and whether weblogging can get out of its mindset of being a hobby and an amateur effort.
Development right now is usually done like kids hacking on a project, where staying up all night and then flipping a switch where something goes live is considered acceptable practice. That's only ever going to result in insecurity over the long run. It's even more unacceptable when in charge of a database that probably has the world's largest collection of server logins.
That's not meant as a slight to anyone who builds blogging tools, as I was the first public user in the directory and used Blogger for years and was overall very happy with it. But, with the exception of Mena and Ben Trott's work on Movable Type, which has been informed by Ben's background in cryptography and other security practices, there hasn't been a seriousness about the responsibility of developing these applications as weblogs move to being a critical communication tool for people. This is one of the reasons that weblogs aren't generally taken seriously as business tools.
I recently mentioned, to someone less familiar with weblogs, that the process of writing a weblog with a tool as being similar using Hotmail, except you're sending your message to people whom you don't yet know. Unfortunate security parallels aside, one of the lessons of that parallel is that these are tools that people depend on, and they have to be developed and maintained with the seriousness that responsibility entails.
11:21 AM
17 TrackBacks
Blogger has been Hacked....see Plasticbag.org or Anil's The 2nd time in the past 12 months. dammit.....now I have to check Read More
Blogger has been hacked. Bill gives us the link to Anil's updates regarding the whole mess. Blogger users, you may Read More
Looks like www.blogger.com has been hacked. Not a problem if you've never used them, but people who either blog or started off blogging with blogger.com should be aware... Read More
For those people still using Blogger you may want to note that your FTP passwords (if you have them stored on the Blogger servers) might have been hacked. You can also check... Read More
Blogger.com was broken into today as first reported by Tom, tracked at Anil Dash and acknowledged at Status and EvHead. Mostly PRO users whose ftp passwords were stored on the servers were affected. Some of them found their passwords changed and were l... Read More
More proof that AOL Time Warner is Satan ... they are building a $483 million movie studio in China. As Read More
PSA for my friends using Blogger: Blogger has been hacked. Click the link to learn what to do. Read More
Well, in a fit of total irony, I find that as I began to write about the fact that Blogger Read More
Blogger got hacked yet again. Anil says "...I think that launching a commerical tool that has server access to remote Read More
Blogger hacked (/.) Read More
anil dash - blogger hacked Durante una hora el hosting insignia de la armada blogger, estuvo comprometido por algun ni�o Read More
You might have noticed today that the CGI problem I had spread like an evil cancer and took down my entire site! Now I have a brand spanking new server. Yay! Back to blogging! UPDATE: Apparently I am not alone in my blogging difficulties. Instapundit i... Read More
It is incomparable to software such as yourself to promote your favorite product. It's like a doctor boasting about his or her from being able to look at a surprising amount of the site, but no "select" privileges on any of the concerns people ... Read More
Anyone who pisses off Dave Winer is ok in my book, but then I read about this LGF shitstorm and Read More
Anil Dash posted an article with a during- and post- attack commentary on the security breach at the Blogger.com website on 25-Oct-2002. Sobering thoughts for all webloggers everywhere. Read More
I'm getting increasingly worried about Blogger lately. I've since migrated presley, albanydan, and this site from Blogger to Moveable Type, Read More
So, yeah, everybody's gonna be buzzing about Google buying Pyra, but my take is that it's not really that great Read More
79 Comments
Leave a comment
- Earlier: what's new with what's true
- Next: coming up in "magazine"
Update: Looks like it's possible to log into any Blogger user's account if you can guess their user name. What To Do: Call your ISP and ask them to change the user name and password for your FTP account. Or use your server control panel and change both. Don't just change your password, and make sure to delete your server information from your Blogger account if you can.
Your "remember my login" settings are a cookie on your machine, and aren't related to this problem.
A few users have reported their accounts aren't compromised. But some people who could log in earlier are reporting that they can't now, so it looks like the attack is still in progress and/or getting worse.
The MetaFilter/BlogRoots outage is unrelated to this, for those who've asked.
Looks like it's impossible to change any information at all on Blogger itself because the database is buggered, but I would advise everyone to change their FTP details on their servers as soon as they can as that information may have been compromised...
ho ho. Blogger hacked. Ha ha.
If you can log in to Blogger with one of the names listed above, changing your password will give you an error that says that the server log files are full for "BloggerCentral" database. The good news is, that seems to mean that your changes worked, despite the server error.
I'm getting the server error, but when I return to the settings page, the hacx0redbyme errors are still there.
damnit.
It seems like the attacks are proceeding numerically through the accounts, going by BlogID. So older accounts are seeing the problems first.
thanks for the heads up. i just went to change my info and when I tried to log back in their site was down.
Blogger.com's got the "sorry" page up now, and Pro's page is changing as I speak. You'll still want to change your server info, but it seems the biggest danger is past.
Thanks for the tip. One more reason decentralized is the way to go.
A screenshot of a compromised account is here. I'd expect any further updates to come from Pyra, at the Status weblog.
Do you still suggest changing usernames? I changed my password, but changing my username would be a pain.
Thanks for the info.
The "best practices" thing to do for security is to change the username, yes. But I'd probably be too lazy to do it, and there are so many sites that were exposed, that you could probably get away with not doing so if you're comfortable with security through obscurity.
In short, you don't have to, but you ought to. Change your user name if you remembered to floss last night before bed.
Hilarious. I floss while in bed, right before I go to sleep.
It's a new game... see how quickly you can install MovableType... I'm clocking in at 20 minutes so far on a client site. On your mark, get set, go!
Thank you. *sigh* Fun for a friday... Can I figure out MT now?
Geeks who wrote their own blogger-like scripts/databases are unaffected. Ok, so mine doesn't have the versatility of Blogger, yet, but it will now that I've finally figured out what I want from it and so can recode it.
This sucks... I can't change my username, it's through a university, and all sorts of hell would have to be paid. changed passwords, though.
The status blog for Blogger has been updated with a bit of info, though nothing really new and/or interesting.
And all Blogger has to say for themselves is "Sorry for the inconvenience."
nice
I thought they were moving to Apache Jakarta
That�s why my blog is already at www.blogger.com.br
this is maddness. thank god i use MT.
IIS 5.0 isn't the only problem, it's also the abhorrent
lack of security in SQL Server, which if I'm not mistaken
was the DB for Blogger (at least when I was using I
believe it was).
Check out: http://status.blogger.com/ which has more detailed information. status.blogger.com is a seperate server from the main blogger servers.
And all Blogger has to say for themselves is "Sorry for the inconvenience."
If I were a paying Blogger customer, I'd be pretty pissed right about now. Sorry for the inconvenience? What about the credit card info I gave you? How vulnerable is that? Is it encrypted in the database (if it's in there at all)? I don't care how harmless this particular attack was, it's alarming that someone got into the system in the first place.
What if I were a small business owner with a Blogger Pro-powered weblog on the front page of my site and I woke up this morning to find it filled with racist commentary or pornography that 2,000 of my customers had viewed already?
"Sorry for the inconvenience" is horribly inadequate, especially since this is the second time Blogger has been hacked into. Fuck "cool" new features like bstats, how about some security for paying customers?
I use my own homebrew system with enetation.co.uk :)
New update by Ev at status.blogger.com
Update: We have found the cause of the vulnerability and have
patched it. Everything is back restored and back online with the
exception of the API server and bSTATS.
It appears to be back online. I got on and published. Didn't see any evidence of my passwords being messed with. Changed my server password nonetheless, and so on.
Hi, folks.
We're fairly confident we've found the vunerability, and we've restored the data.
As for the brilliant analysis that it was due to "M$" software, I'm sure you're very educated on these things but...well, you're wrong. [Note: this was a response to two stupid comments that I deleted. --Anil]
Thanks,
Ev.
Glad to see everything's back online without too much harm.
The amount of harm, if the file containing all the account names and passwords was stolen, is really unknowable. Not everyone is going to change their ftp account password, especially if they don't see any damage to their own site, I'd wager. So whoever stole the file has a nice little repository of usernames and passwords from all over the Internet to use (or sell) for all kinds of attacks that won't necessarily directly affect the user whose password they're using.
There are bigger issues than just an individual user's account integrity, here. The Internet as a whole becomes less secure when successful attacks like this happen.
Passwords being changed and files being taken are two separate matters. In this case, as far as we can tell, passwords have been changed. Nothing has been taken.
I sense a lot more defensiveness than contrition coming from Blogger Inc. today. It's the type of reaction I would expect from, well, from myself—as an individual. When a company like Pyra reacts like that, I think it contributes to the unprofessional atmosphere Anil spoke of above.
Thanks for the heads up. I don't think I was affected but am changing my blogger and isp passwords anyway just to be safe. I administer my weblog (public) and my personal journal (very private) through blogger and having a break-in like this again makes me seriously consider alternative log posting tools.
This is symptomatic of a larger problem with Blogger. Uncomfortable giving them my credit card, I sent an email about paying for Pro through pay pal, the former link to which had disapeared when they began to accept credit cards.
That was 3 months ago, and I never heard back. I left Blogger for MT about 2 weeks ago.
Even better -- the 4 days I got a 500 error and couldn't get into my account at all. Also, never received a response from "tech support." MT is dreamy, decentralized is a much better option.
I'm glad I was busy eating a Lean Pocket while all this was happening. I just started a blog there a few days ago. I have no idea what I'm supposed to do now about this. I did not check 'remember my password, etc' so I hope everythings o.k. But Ev should post safety directions for those of us who are newbie un-techies.
Remember that the "remember my password" option merely sets a cookie on your local machine, and is not associated in any way with possible dangers from the hacking activity.
On the other hand, if you have given Blogger your password to the FTP site you use, that could *possibly* be compromised, and that's what they're warning people about.
So it may be a good idea to have the password on your FTP site changed. Sadly, I've been using the same password for 8 years, and finally decided it'd be a good idea to change mine today. :(
You mentioned in the main post Greymatter security holes. Can you send me (or post) where I might do aome reading on that issue?
GreyMatter vulnerability due to right-click .reg files before v1.21
But, with the exception of Mena and Ben Trott's work on Movable Type, which has been informed by Ben's background in cryptography and other security practices, there hasn't been a seriousness about the responsibility of developing these applications as weblogs move to being a critical communication tool for people.
I was concerned you would do something like this. Security issues are emphatically not an appropriate time for a professional such as yourself to promote your favorite product. It's like a doctor boasting about his or her hospital in time of crisis. In very poor taste Anil. Next time you want to take a leadership position on an outage or security issue, I'm going to think twice about pointing to you.
Dave, it's because I'm a professional that I can state my opinion. I don't, honestly, recall Userland ever having a serious security problem like this, and I'd probably agree that I should've preceded my comments on MT with "for example", as there are other good examples. But I think that launching a commerical tool that has server access to remote machines without a broad beta program, by releasing it the moment it's finished, is the type of flawed development process that leads to problems like this.
I have a significantly more forgiving view of similar development that's for free (beer or speech) products, as those are much more caveat emptor.
Blogger was a disaster waiting to happen. If you didn't figure this out when it asked to store your server's username/password on their server then you probably shouldn't be complaining about it now!
Although decentralization isn't a panacea, it would certainly have avoided compromising so many accounts so quickly! And, I do agree with Anil that MT seem to have gone through a better QA process than Blogger.
Dave,
I think that Anil had a lot of other links back to him beside your's. But he did what was neccessary in this little community of ours.
Trust me, Doctors do brag when their facilities step in at a time of need.
Actually, Dave, I think that times of security issues with a product are great times to point out the relative merits of competing products, since it's in light of the security problems of one product that another (presumably without said problem) shines. Users who are bitten by Blogger's pretty major problem -- one about which there's pretty much been nothing said by Blogger's staff except that it's fixed -- today found themselves in a position to evaluate a possible need to move to another product. And such a decision should be made in an informed way; Anil was merely informing.
Besides, if we all had a buck for the times you gloated about something that Frontier/Manila/Radio/ProductOfThisWeek did better than a competitor who just was caught doing something poorly, we'd all be in a position to afford to buy your products.
Seems to be no end to the ways in which people can upset Mr Winer ...
Lots of people like MT, Dave, and tend to recommend it all over the place. Is it possible that one of the reasons is the friendly public persona of Ben and Mena?
Thanks for the info, Anil. Even if my important projects are (mostly) on MT now, I still have two Blogger blogs, for ad hoc 10-minute-setup sites.
I don't have a blog, yet. But if I did, I'd be too afraid not to use any Userland product. I am afraid Mr. Winer would hunt me down and feed me alive to his pack of wolves for even glancing at competing software.
This post was drafted using Radio's text editor.
Argh. For those of us who signed up for Blogger accounts two years ago and haven't touched it since... I guess we are/were still in the database and thus still vulnerable, assuming that none of our hosting particulars (server address, username, password) have changed?
Yes, you are still in the database. Although my understanding of the current situation (caveat lector) is that no passwords were accessible from the outside, all that happened was user passwords were changed to the "hax0redbyme" name. If that's the case, you should still be okay, as your password was just reset to its regular setting when Blogger came back online.
The vulnerability was when Blogger was hacked, you could log into anyone else's account with that one password, if you could guess their user name.
Thanks very much, Anil; that clarifies things.
(And double argh when I remember that the only reason I have a Blogger account at all is that back in the day, signing up for a sxswb.com login gave you a Blogger login too... and that I only discovered that by accident...)