*
programming and human factors
by Jeff Atwood
*
I received this anonymous email a few days ago:
I found what one could call a security hole in Stackoverflow. I'm curious enough to go digging around for holes, but too ethical to actually do anything with them. However, I'm afraid that by pointing it out I'll get banned, because a good member doesn't poke around like I just did. I promise I did nothing with what I found out besides confirm the hole.You may be wondering why I'm e-mailing you personally, rather than team@stackoverflow.com. It'll make sense when I reveal the hole, which is...
I logged in as you.
How? Well, there were two pieces of the puzzle, the password and the openid provider. I had a possible password; today your blog post revealed the openid provider. I logged in, freaked out that it actually worked, then logged out. The only reason I had the password is because your password is totally inadequate for someone running a site like StackOverflow. I don't want to go into any more detail than that, but man - dictionary password!
I've read about the secret "hacker" badge... if you're not going to punish me for my transgression, then I will reveal who I am and I sure wouldn't mind getting it. Still, I can understand if you're upset - I wouldn't want someone else digging up my password. (That's why I send this friendly e-mail instead of hoarding, or worst, selling, the information.)
Please, go change your openid password, before someone less ethical than I finds it.
- A friend of the site
These are the kinds of emails that make your blood run cold. Good thing I haven't made too many enemies. Today, I mean. So far. The day's not over, yet.
Is it true? Did someone just log in as me? I checked the OpenID logs, and sure enough, there was a valid login from an IP address I didn't recognize. He wasn't bluffing. He really did log in as me.
While it's true I probably should have used a more secure password, in my defense:
What's interesting about this, though, is how it happened. I'll reveal that tomorrow, with this one hint: I've talked about this exact sort of vulnerability several times on this very blog.
Until then, take your best guess: how do you think this person discovered my password? I'll highlight the best response tomorrow with the answer.
* Although as a Stack Overflow moderator I have unusual powers and probably should have used an alternate OpenID with more security.
OK, this is a TRULY random guess, is it t;AoVD061MBWm=NX6V+u?
Patrik Hägne on May 4, 2009 2:03 AMhm, maybe password was... bufferoverflow? g
stackunderflow?
vistarocks?
diggthis#$@%!
BugFree on May 4, 2009 2:13 AMTeasers suck.
btmorex on May 4, 2009 2:20 AM2nd for fakeplasticrock
yikes on May 4, 2009 2:27 AMI'm going to guess Joshua or some other trivia from the movie War Games, since on your SO user profile page you have a screenshot from the movie (and Joshua was the backdoor password to WOPR).
achaetes on May 4, 2009 2:31 AMI suppose that the good-will-hacker has access to the passwords of another side where you are registered as an user...
menek on May 4, 2009 2:36 AM3ee70r4Ng323 (leetorange23 with leet speek) _is_, and should always be, considered a dictionary password. Changing a letter for a number is not secure, case and 2 numbers at beginning or end is already checked when brute-forcing hashes.
Take a dictionary, whatever the language (hell, I still have the 300Mb dictionary from back when I was working in security, containing japanese and russian romanization of words and common websites URLs), and whatever the case, leet speek and/or 3 numbers at beginning/end, it's still part of the dictionary. Period.
Disclaimer: I'm not that guy.
h on May 4, 2009 2:48 AMI don't get it.
What's the point to having multiple OpenIDs anyway? I thought the point was that you don't need a different username and password for every site.
Now you need a super-secret OpenID for important sites and a different OpenID that's only a bit secret for sites where it wouldn't matter if everyone knew your password anyway?
Even if the hacker just guessed the password, it all seems kinda pointless.
Also, how many times do people have to be told that you log in as administrator when you're administering and log in as a regular user when doing regular user stuff, which implies that a person who both uses and administers a site should have, say, two freaking accounts?
How hard would that be, anyway? Really? Can't be done?
And for a completely insane and ridiculous suggestion that no sensible person would ever consider, perhaps even use some advanced high-tech security like public key based client authentication? Fine, your regular users won't want to deal with that, but presumably the guys running the site aren't your typical vegetables, and could cope. Then the site admin accounts would be even more secure than they are now.
I would guess that, on another website that either this person moderates or has access to, your password is being stored as a plaintext value in their database. He followed your internet trail back to this blog, at which point all he needed was the openID provider.
Joseph on May 4, 2009 3:10 AMI would guess that, on another website that either this person moderates or has access to, your password is being stored as a plaintext value in their database. He followed your internet trail back to this blog, at which point all he needed was the openID provider.
Joseph on May 4, 2009 3:11 AMWas it swordfish?
1800 INFORMATION on May 4, 2009 3:22 AMJeff, how many times did your ethical hacker fail at logging in under your name before succeeding?
Phil Deneka on May 4, 2009 3:24 AMMy guess is wumpus as well.
andrewdoak on May 4, 2009 3:36 AM'I drive a 1998 Ford Contour.'
baa on May 4, 2009 3:44 AMWow, that might be the nicest thing a stranger will ever do for you. I certainly wouldn't punish him (her?!). And it probably deserves the secret hacker badge; probably not for technical prowess, but for the true hacker ethic.
tektor on May 4, 2009 3:55 AMMaybe a dictionary attack that covers all the typical number substitutions for letters, i.e. 0range, or App1e.
Justin on May 4, 2009 4:10 AMOh right, and all you guys that are talking about dictionary attacks look to be off the mark. The email itself says it:
I had a possible password; today your blog post revealed the openid provider. I logged in, freaked out that it actually worked, then logged out.
He already had the password - there was no need for a dictionary attack - all he needed to know was the openid provider (probably google) and then he could log in using his google credentials, not to mention he could probably check his email, and all that other good stuff that google gives you.
1800 INFORMATION on May 4, 2009 4:15 AMSince openID passwords are encrypted, this hacker most likely picked up the hash value from IP traffic and then went to one of the sites which allow you decrypt MD5 by a little bit of brute force. Since we know that password was a dictionary word, brute force could have been quite gentle in this case.
BugFree on May 4, 2009 4:17 AMsixtoeightweeks
Alan Wright on May 4, 2009 4:19 AMIt's password
Bratch on May 4, 2009 4:28 AM3rd vote for Rockhardawesome
CLB on May 4, 2009 4:50 AMHe created a GUI in visual basic and tracked your IP address.
Tom on May 4, 2009 4:53 AMSocial engineering is the usual way - mentioned girlfriend/pet/streetname possibly?
Beren on May 4, 2009 4:59 AMSomething to do with the following: wumpus, elizabeth, billcosby, jooky, burton, betsy, gamebasement, wise-ebusiness, boland boss, chuck snyder, lifepoint, brentwood
parker on May 4, 2009 5:09 AMOr if I was able to figure out your crystaltech account ID (which could easily be social engineered), that'd open the floodgates for me.
parker on May 4, 2009 5:11 AM0wned.
Ruudjah on May 4, 2009 5:12 AMMay I just add that the concept of the Hacker badge (if implemented as the anonymous emailer suggested) is one of the best security Hacks ever. Find something of little value you can give people to get them to attempt to hack your site and admit it.
Encourage Hacking!
Bill K on May 4, 2009 5:19 AMPasswords are flawed, they are too easily broken, but I've found the cure: I don't use passwords. Think about it - you only change your password and that's only half of your identifier when logging in!
Isntead, every 28 days I change my identity. This month I'm Gerald Wobblebottom. Who knows who I will be next month. In fact, some days I don't know who I am until I get to work and see my name on the door.
Philip on May 4, 2009 5:22 AMWas it orange?
Goran on May 4, 2009 5:26 AMC'mon..I have work to do..Now who's gonna spend time in finding the way how he did it..Damn! You just ruined my working day..
I appreciate the guy with ethics.. :)
Saj on May 4, 2009 5:29 AMDon't be silly, do you think Jeff is stupid?
It was of course 0r4n93.
Adam Philips on May 4, 2009 5:32 AMHow did this person discover your password? My guess is you inadvertently typed your password into a Stack-Overflow field while thinking focus was on another window. The perp then spotted the random word in an SO post, and guessed that it must be a password.
Douglas F Shearer on May 4, 2009 5:34 AMI'm going to guess he got your password the same way Anonymous got Sarah Palin's yahoo account password: Broken secret question system.
Jason on May 4, 2009 5:36 AMI would have to guess that it was a cross-site attack (XSS), you mentioned it in a particular blog post as well as several times when talking about particular vulnerabilities that you should pay attention to. Personally I'm partial to picking randomly generated passwords from pwgen, writing them down together with all my old passwords on a note which I keep somewhere safe. It's suprising though, how quickly you can memorize a number of random alphanumerics.
http://www.codinghorror.com/blog/archives/001171.html
Stefan on May 4, 2009 5:38 AMI'll also say Rockhardawsome
Joel on May 4, 2009 5:43 AMI suppose it was contained in a configfile which you published somewhere.
Or you used the same password on another website which is controlled by the attacker.
the password is...
1... 2... 3... 4... 5...
Hey! That's the same combination I have on my luggage!
TG on May 4, 2009 5:50 AMgood thing i don't use OpenID for anything else than Stack Overflow...
Jens on May 4, 2009 5:51 AMThe most likely cause was that you used it on his site and he is logging passwords or saving them un-hashed.
Malte on May 4, 2009 5:52 AMbut will you punish him? :)
Gregory on May 4, 2009 5:53 AMLemme guess...
He created a dummy stackoverflow site and phished you into entering your password into that.
Miff on May 4, 2009 5:55 AMI know Steve Gibson and you sir are no Steve Gibson ;-)
sw on May 4, 2009 5:59 AMDon't you just love SpaceBalls the movie? Only a geek could quote from that movie!!!
Philip on May 4, 2009 5:59 AMMy first thought was the same as Malte's - while orange is a good guess, that would fall under the dictionary category that Jeff is denying.
Chris on May 4, 2009 6:00 AMWait a minute, I think it might be an exploit in the Create new User page.
Mainly because I went to register an account there and it gave me a 404 error when I clicked Create new User.
Miff on May 4, 2009 6:00 AMFYI the 1... 2... 3... 4... 5... by TG was from spaceballs.
Philip on May 4, 2009 6:00 AMthe password was orange! Mainly because my captcha is orange!!!!! Its a sign you see.
Tony on May 4, 2009 6:03 AMMy lucky guess would be Rockhardawesome.
Orkun Balkanci on May 4, 2009 6:04 AMJeff! There is no end to adequate and convenient password management programs on every platform! You should use one (and use long random passwords), or use the technique that you once proffered on a Stack Overflow Podcast:
any_hash(url + your_easy_to_remember_password);
Of course in your case both the url and password are obvious (evidently), so you would have to add one more piece of information, or hash the hash, or do anything else that could be reproducible.
Jeesh, it's like you're a movie supervillain or something.
guns on May 4, 2009 6:11 AMrandom guess: jeff@wood
danimajo on May 4, 2009 6:13 AMI think it was thequickbrownfoxjumpsoverthelazydog as seen here: http://www.codinghorror.com/blog/archives/000949.html
mannu on May 4, 2009 6:15 AMdanimajo had my guess. J3ff@wood or variants thereof.
Tom on May 4, 2009 6:20 AMIt must be orange or WOWrocks?
Wanko on May 4, 2009 6:25 AMI guess horrorCoding
Paul on May 4, 2009 6:31 AMguiterhero
Dudi on May 4, 2009 6:32 AMMy guess is that the password was Wumpus related.
Greg on May 4, 2009 6:32 AMPracticality, are you sure it has a 6 on the end? I thought it was 12345.
No other Spaceballs references on Star Wars day? :(
Andrew Grimm on May 4, 2009 6:33 AMMy guess - it was pass phrase about convenience of OpenID, used in one of the posts.
Rarst on May 4, 2009 6:36 AMorange1!!!!
lol
Greg Magarshak on May 4, 2009 6:37 AMcrosssitescripting,
you read a blog of him while beeing logged in using openid
is this technically possible? :)
He had your password before your openID provider - which leads me to believe you typed your password somewhere that wasn't secure. I don't think you would have been duped by an XSS. I'm going to go with bad input sanitation. Javascript was inserted into a comment on an answer you wrote, and when you viewed your user page, he received your password.
`Josh on May 4, 2009 6:43 AMCan I recommend LastPass:
https://lastpass.com/technology.php
Free, secure, machine and platform independent.
Tom A on May 4, 2009 6:44 AMI'm gonna guess XSRF (somehow)
matt b on May 4, 2009 6:48 AMI bet you wrote it on a post-it note near your computer and your wife saw it! She totally stole your password! SHE IS RIGHT BEHIND YOU!
(OK, it was worth a shot.)
Shmork on May 4, 2009 6:50 AMJust some guesses:
- NoWayInHell
- IHeartBunnies!
- this is my password
- Password1!
- deliciously-salty-
or his e-mail address ...
Hinek on May 4, 2009 6:53 AM@danimajo, lol thats funny
@jeff atwood, that sucks.. but i understand what you mean. Some of my accounts online have very weak passwords, but as you have mentioned on podcast, who cares about hammocks.com ?? also, im just a lowly internet troll whereas you run a pretty successful online community, that might make a difference.
theman on May 4, 2009 6:56 AMo yea, and as far as the password, orange +1
theman on May 4, 2009 6:57 AMWith SuperGenPass nobody has an excuse for lame passwords on any web account.
Use it!
Kevin on May 4, 2009 6:58 AMI know it was goatse wasn't it.
Tom on May 4, 2009 7:00 AMI would guess HenryBurton from the post a href=http://www.codinghorror.com/blog/archives/001242.htmlhttp://www.codinghorror.com/blog/archives/001242.html/a">http://www.codinghorror.com/blog/archives/001242.html/a">http://www.codinghorror.com/blog/archives/001242.htmlhttp://www.codinghorror.com/blog/archives/001242.html/a
I've seen the movie War Games way too many times :)
Perhaps you comment on one of his blogs or use one of his services where you login and he knew a) you were Jeff Atwood and b) stores passwords as plaintext in his system rather than hashing them. Failing that, maybe you wrote something on twitter or something that gave him an idea. Anyway, you should use autogenerated passwords.
Also, one thing I love about this is that it shows OpenID for what it is, a bad idea and gaping security hole. You said yourself that you use a password you don't care about to login to Stackoverflow. But the problem is, if you have several different passwords, an attacker needs to multiple attack vectors to totally take over your online identity rather than just your open id account that not only is the same password but the same username. As well, given that there are not that many Open ID providers, you don't even have to know the particular provider (just try them all).
5t4ck0v3rfl0w
Dan Roberts on May 4, 2009 7:07 AMguys, a hint:
http://www.google.com/search?q=site%3Awww.codinghorror.com+password
the most often used keyboard shortcut?
ctrlcv
thequickOrangefoxjumpedoverthelazydog
: )
I know nothing about security or hacking a site, but smart ass I've got covered pretty well. LOL
I don't like OpenID and was disappointed that SO used it. Why not just stick to ordinary passwords, enforce complexity if you have to. OpenID is just more complexity when means more ways to fail.
Martin on May 4, 2009 7:14 AMThe dictionary he used was all the words of this blog.
And the password might be in http://www.softexia.com/news.php?readmore=4219
5t4ck0v3rfl0w +1
(today I heard it spoken! I mean, orange!)
(funny how, when you fail to enter the word,
you can't have it spoken again. Kafka was here)
fail
dude on May 4, 2009 7:18 AMI'm curious - in what post did Jeff's OpenID choice get disclosed? It happened a few days ago but I haven't found it yet. Or maybe Jeff did some editing I didn't notice.
Adam V on May 4, 2009 7:19 AMThe most likely method I can think of is that you are a user of one of his/her websites and used the same password on both that site and your openid site.
Chas. Owens on May 4, 2009 7:20 AM123456
Practicality on May 4, 2009 7:21 AM@Adam V. it was on the Stack Overflow blog: http://blog.stackoverflow.com/2009/04/googles-openids-are-unique-per-domain/
Chas. Owens on May 4, 2009 7:22 AMbahahahahaha
Joe Beam on May 4, 2009 7:32 AM... cross site request attack on one of the sites you log in to? Perhaps the cookie he got also contained the id.
Herr_Alien on May 4, 2009 7:35 AMHe probably make you log into his page using your openid acount and used some xss trickery to get your password.
ajuc on May 4, 2009 7:36 AMHm, I've re-read the mail.
The only reason I had the password is because your password is totally inadequate for someone running a site like StackOverflow
This doesn't seem to indicate XSS, or getting the password from another site, or Jeff mistakenly typing it anywhere. It seems more likely that the password was a fairly easy guess for anyone paying careful attention to Jeff's considerable web presence.
Which still doesn't really answer the question...
Ben on May 4, 2009 7:39 AMOpenID: http://blog.stackoverflow.com/2009/04/googles-openids-are-unique-per-domain/
Password: http://www.codinghorror.com/blog/archives/001056.html
I didn't have time to read all the comments, so sorry if someone else addressed this.
I would argue that this password typically for low-value logins like blog comments and so forth is not low value. If someone did have a grudge and could start impersonating you in the comments on other blogs, that could seriously damage your reputation before you were able to start cleaning it up. Reputation is a rather high-value item, I think.
Stephen on May 4, 2009 7:41 AMWas it something to do with this OAuth Security Vulnerabilty? http://oauth.net/advisories/2009-1
I'm not sure if he could get the victim (you) to follow the malicious link and validate his token though.
Jamie on May 4, 2009 7:44 AMThe dictionary could have been any word or phrase scrapped from the blog transcript, twitter... or any where elses Jeff has let loose.
jms on May 4, 2009 7:44 AMI would guess you used the same password on another site, and the attacker was able to retrieve it from there.
Yevgeny on May 4, 2009 7:46 AMYes, Jeff should have had a higher-security password for StackOverflow. On the other hand, priorities can change when you're not thinking about them.
I had (and have) an account with Barnes Noble, which I had a low-security password for. Then they changed things so they stored credit card data online, for my convenience. After a while, I realized that I had a low-security password on an account with credit card data, so anybody who knew (or could guess) my throwaway password could order books. It's better now.
(Not that my low-security passwords are actually easy, but they get used in lots of places, and have been emailed in plaintext.)
is it ********** ?
dedenf on May 4, 2009 7:51 AM@Stephen
Blog comments aren't exactly a poster child for password security.
On most blogs, you can impersonate anyone you want. If you make it look more legitimate, it's still not non-repudiable.
Take this comment as an example. I could've supplied my username as you, and if you'd supplied a URL, I could have used that too, and then all evidence available to the public might point back at your site, but the content I'd written here would be mine, and could tarnish your silvery reputation.
(not) Stephen
Stephen on May 4, 2009 7:54 AMBadMotherfucker
Pardon my french, but it's on Jeff's leatherman I think(I read the keychain post yesterday in relation to his wallet post)
Ate on May 4, 2009 7:54 AMWhoringCoder?
Al Tenhundfeld on May 4, 2009 8:01 AMHah, it's not as simple as Fgpyyih804423, is it?
Jeroen on May 4, 2009 8:02 AMWow, IHeartBunnies!, nice.
dave on May 4, 2009 8:03 AMVery interest email I should say. This guy whoever it is a nice guy. I bet he should be rewared for his honesty. I am not s ure orange is the password and very easy to guess and very open. I geuss the password might have been your kids'name or date of birth or your wife's name or birthday? But then again it may not be true I suppose. I suppose this was just some random guess and it worked. Was it like SQL injection or buffer overruns, (taking hint from this post. http://www.codinghorror.com/blog/archives/001167.html)
I am really eager to know this person and how he logged in as you. Will we know the name of this person too?
Anand.V.V.N on May 4, 2009 8:04 AMThe comments to this entry are closed.
| Content (c) 2012 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email