Hacker Gains Admin Control of Sourcegraph and Gives Free Access To the Masses (arstechnica.com) 6
An anonymous reader quotes a report from Ars Technica: An unknown hacker gained administrative control of Sourcegraph, an AI-driven service used by developers at Uber, Reddit, Dropbox, and other companies, and used it to provide free access to resources that normally would have required payment. In the process, the hacker(s) may have accessed personal information belonging to Sourcegraph users, Diego Comas, Sourcegraph's head of security, said in a post on Wednesday. For paid users, the information exposed included license keys and the names and email addresses of license key holders. For non-paying users, it was limited to email addresses associated with their accounts. Private code, emails, passwords, usernames, or other personal information were inaccessible.
The hacker gained administrative access by obtaining an authentication key a Sourcegraph developer accidentally included in a code published to a public Sourcegraph instance hosted on Sourcegraph.com. After creating a normal user Sourcegraph account, the hacker used the token to elevate the account privileges to those of an administrator. The access token appeared in a pull request posted on July 14, the user account was created on August 28, and the elevation to admin occurred on August 30. "The malicious user, or someone connected to them, created a proxy app allowing users to directly call Sourcegraph's APIs and leverage the underlying LLM [large language model]," Comas wrote. "Users were instructed to create free Sourcegraph.com accounts, generate access tokens, and then request the malicious user to greatly increase their rate limit. On August 30 (2023-08-30 13:25:54 UTC), the Sourcegraph security team identified the malicious site-admin user, revoked their access, and kicked off an internal investigation for both mitigation and next steps."
The resource free-for-all generated a spike in calls to Sourcegraph programming interfaces, which are normally rate-limited for free accounts. "The promise of free access to Sourcegraph API prompted many to create accounts and start using the proxy app," Comas wrote. "The app and instructions on how to use it quickly made its way across the web, generating close to 2 million views. As more users discovered the proxy app, they created free Sourcegraph.com accounts, adding their access tokens, and accessing Sourcegraph APIs illegitimately." [...] While most data was available for all paid and community users, the number of license keys exposed was limited to 20.
The hacker gained administrative access by obtaining an authentication key a Sourcegraph developer accidentally included in a code published to a public Sourcegraph instance hosted on Sourcegraph.com. After creating a normal user Sourcegraph account, the hacker used the token to elevate the account privileges to those of an administrator. The access token appeared in a pull request posted on July 14, the user account was created on August 28, and the elevation to admin occurred on August 30. "The malicious user, or someone connected to them, created a proxy app allowing users to directly call Sourcegraph's APIs and leverage the underlying LLM [large language model]," Comas wrote. "Users were instructed to create free Sourcegraph.com accounts, generate access tokens, and then request the malicious user to greatly increase their rate limit. On August 30 (2023-08-30 13:25:54 UTC), the Sourcegraph security team identified the malicious site-admin user, revoked their access, and kicked off an internal investigation for both mitigation and next steps."
The resource free-for-all generated a spike in calls to Sourcegraph programming interfaces, which are normally rate-limited for free accounts. "The promise of free access to Sourcegraph API prompted many to create accounts and start using the proxy app," Comas wrote. "The app and instructions on how to use it quickly made its way across the web, generating close to 2 million views. As more users discovered the proxy app, they created free Sourcegraph.com accounts, adding their access tokens, and accessing Sourcegraph APIs illegitimately." [...] While most data was available for all paid and community users, the number of license keys exposed was limited to 20.
Well, time will tell (Score:4, Informative)
"Private code, emails, passwords, usernames, or other personal information were inaccessible."
It's amazing how that is always what companies confidently state when a breach is first announced. Then, over the subsequent weeks and months (and occasionally even years), we gradually hear amendments... "a small number of encrypted passwords may have been collected, but there's no way for the hacker to access the actual password"... followed by "for a few accounts, the hacker may have been able to access social security numbers and plain text passwords; but that was only for some very old accounts"... then eventually "the hacker pretty much got unfettered access to every users' account password, social security number, childrens' names and schools, spouses medical histories - all in clear text".
put credentials in publicly available code? (Score:3)
put credentials in publicly available code is really bad now do they also have say have dev and prod useing the same keys as well?
This sound like an ad to anybody else? (Score:4, Funny)
Never heard of 'SourceGraph' until now.
Re: (Score:1)
onus (Score:2)
It's always intriguing me that these articles put all the blame on a hacker - the wrong term here but I digress - while instead the company being subjected is the one that actually made the crack possible by doing an extremely stupid thing: exposing credentials to the public. But I get it. It's easier to blame someone else for ones stupidity...
AI (Score:1)