[JoopNL]

Hi, after the data breach I have a few questions. I ask these questions not for criticism, but for future improvements. I appreciate the actions of all volunteers in the follow up of this incident.

• Were users directly (by email) notified about the breach? I don't believe I personally received such a mail. In case this was not done, why not?
  • EU/UK regulations mandate such communications when the "data breach poses a high risk to those individuals affected". In your public statement you admit that you "must assume all passwords are compromised ". So from that aspect this is certainly a high risk situation.
    
  • Even though there is still room for interpretation here (for example; can a Kodi account ever be considered high risk?), I think you should err on the side of caution and responsibility and notify each user individually via mail.
    
• I was notified through Have I Been Pwned, but this should not be the primary communication method, because this applies only for users who explicitly register there.
  
• When resetting my password I receive a new password via insecure plain-text email. This is generally considered bad security design:
  • Passwords should never be sent via unencrypted mail/communications. This increases the chance for interception, passwords ending up in logging and various issues like that.
    
  • A better design would be to provide a password reset link to an HTTPS URL where the user can input a new password.
    
  • A website should never store an unhashed and/or unsalted password. I don't think this is the case right now, but this is often what happened in the past with websites that sent plain-text passwords via mail, so this is still a red flag and causes doubts about security in general.
    
  • I am not forced to change the pre-generated password. This increases the risk that the password that was previously communicated insecurely, somehow leaks but is still valid.
    
• Can you provide more info about the planned penetration testing? Has this been done already, or can you at least confirm this will be communicated when it's done?
  
• Penetration testing does not look at design flaws (like sending plain text passwords via mail). A general security audit might be good as well.
  

Edit: I realize I did not formulate everything as actual questions, but do please comment on the other remarks.

[JoopNL]

Please respond, @Karellen @da-anda @yol

[keith]

Hey JoopNL,

Logistically, sending an email out to hundreds of thousands of users is tough. We spoke w/ the havebeenpwned.com and asked advice and he said it was admirable we wanted to email every user, but very difficult to do. We're not against it and still investigating, if anyone has expertise in this, please let us know. 

The password concerns you brought up are MyBB issues, please bring it up to them. We did not design the forum software. We know its not ideal, but this is what we use and how it's written and don't have any php devs to re-write it, nor time/effort to maintain a fork of it.

I am not sure what 'planned penetration testing' you speak of. We are a group of volunteers with little budget, pen testing is expensive, as is security audits. We'd love to do both, but its all money and time permitting.

[izprtxqkft]

not sure if this is intended to be commented on by the general user base but if not i would recommend not posting it where everyone has the ability to comment

that being said

what i took away from the news post was that an administrative account was compromised - meaning the site was not penetrated therefor in my own opinion even though pen testing is good it would not have mitigated this incident

what may have mitigated it would be more strict password policies which appears to have already been done, perhaps those in control could introduce 2 factor the way github does where you need to verify yourself via your email (at least for ip addresses that have not been used previously)


as far as compromised passwords from the database

if passwords were 1 way hashed or encrypted then anyone attempting to break down those passwords are in for a great deal of effort likely leveraging dictionary attacks first and likely anything not found from dictionary will be ignored for the next few years

because not many enjoy leveraging gpus to continuously hash doing a brute force and after several hours weaker targets will take precedence - so informing the users was good so that any shared passwords could be changed likely before broken by the above attempts

users with strong passwords should feel more at ease but by no means completely at ease and still should change them, there are government funded groups with a lot of free time and computing power so even those more secure could be compromised eventually


if not already done, i might suggest team-kodi change the hashing mechanism from the default open source one to an unknown one to increase the difficulty in breaking the hashes down - its near impossible if you dont have your own copy

it would not take too much effort and really doesnt require a full fledged php developer to do it

[izprtxqkft]

regarding a recommendation for alerting users to the breach, something like a newsletter would do it - https://community.mybb.com/mods.php?action=view&pid=211

and it might be pertinent to note compromised passwords may belong to abandoned accounts where the user is still unaware of what happened but had used their password also for their email listed which opens up a can of worms itself

(users are not to be trusted with security)

[keith]

I asked mybb and they said do not use their mass mailing tools to email a userbase as massive as ours. it will not work.

the problem isn't just a php developer, its then maintaining those changes when new versions come out, or risk being stuck on an older version thats vulnerable in some other way.

[izprtxqkft]

i would have thought breaking the user base down to chunks would work, a "no-clobber" clause

true it is a full time job keeping changes in sync and keeping up with cve's

-----

if i have any good recommendations ill post them

[jjd-uk]

[*]A website should never store an unhashed and/or unsalted password. I don't think this is the case right now, but this is often what happened in the past with websites that sent plain-text passwords via mail, so this is still a red flag and causes doubts about security in general.

Passwords were both hashed and salted before, however the default MyBB hashing is done with MD5.

if passwords were 1 way hashed or encrypted then anyone attempting to break down those passwords are in for a great deal of effort likely leveraging dictionary attacks first and likely anything not found from dictionary will be ignored for the next few years

because not many enjoy leveraging gpus to continuously hash doing a brute force and after several hours weaker targets will take precedence - so informing the users was good so that any shared passwords could be changed likely before broken by the above attempts

users with strong passwords should feel more at ease but by no means completely at ease and still should change them, there are government funded groups with a lot of free time and computing power so even those more secure could be compromised eventually

Exactly, I'm no expert in these matter but my understanding is MD5 can easily be crack if it's a simply password, hence the force reset of passwords, but even those with strong passwords would still be vunerable to a determined attack. Included in the rebuild of the forum is that the hashing is now done with the most modern & secure algorithm available to us on the MyBB software.

perhaps those in control could introduce 2 factor the way github does where you need to verify yourself via your email (at least for ip addresses that have not been used previously)

Yes 2FA is now in place.