New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
OVH has acknowledged that hey had a vulnerability in the generation of the random URLs used for password resets in their control panel and that this vulnerability was used to gain access to those servers.
Maybe someone who understands French better than I do can fill in the details.
http://forum.ovh.com/showthread.php?t=88277
Only OVH would type it up in French.
So it is confirmed they were hacked due to ovh not poor security on thier part.
well, this way he can blame others when his shiz get compromised.
Linode
OVH
Refusal to colocate
Some folks point at the providers, this guy sounds like a typical LEB/LET user looking to go the cheapest route
I would not say Linode is "the cheapest route"
No it is not, but cheaper than spending a couple of grand on servers. getting someone to manage it and then bitcoin fall apart and your left holding 2 grand worth of worthless servers!
True
Translation from french :
Hi, To change your password, you have to go on ovh website and ask for a change with a given id. An email is sent to the email address associated with the id which includes a unique url. This url is randomly generated with 21 characters, generated from 3 different algorithms for randomess generating each 7 characters. The client who receives the email can then click on the link and get a new password for his id. A confirmation email is sent announcing the change of password. In all emails sent, ovh includes the IP of the person who did the request.
This is a procedure that was set up 7 years ago and hasn't changed since.
On april 26th, we have discovered internely an issue with the function that generates the 21 characters. Two of the three random functions were generating a not-so-random string. It was hence possible to ask for a password change and then to brute-force the password reset url. This problem was found by one of our developpers on apr 26th at 11:03:14 and was fixed at 12:54:13. The origin of this problem was linked to the rand() function used in this part of the code that hasn't been patched to the same level as the rest of the code when we activated the script execution cache (?). We have replaced the old function returning 21 characters from 3 "random" functions with a new function using two really random functions each providing 64 characters.
We have then started searching in our databases to check if the vulnerability had been exploited, and when it could have been. To do that, we have looked at 3 years of history of password resets. We are authorized by the CNIL (commission nationale informatique et liberté, french agency regulating databases containing personnal data) to archive and use all logs for the last 10 years, specifically for this kind of issue.
We have found 3 active ids which had a password reset done by brute-force. These three occurences were targeted attacks against a part of the "bitcoin" community that uses ovh. The hacker seems to have found the flaw on apr 23rd at 22:00, and did a lot of testing for one hour to make his method work. At 23:00, his method was working and he has hacked the first id, then the two others ids the following day, still for bitcoin related sites. We have been in contact with these clients but the quality of our exchanges did not allow us to get enough information that would help reveal an vulnerability on our side. Our developpers have in a completely independant way found the issue mentionned above, and only then have we realised that there was a link between our flaw and these 3 customers. We certainly have something to learn here about the best way to ensure dialog with clients about this kind of issue.
It took us some time to communicate on the subject, because we have quickly realised that the impact was very limited (3 customers) and we wanted to take enough time to verify everything in depth and make sure that this had not impacted any other customers. Having finished our search today going back three years, we can now assert that no other customers have seen this issue. We are going back 10 years now, but the probability that this happened ealier is null.
I think that despite the small impact for our customers, it was our duty to inform everybody of this security incident that we had to deal with last week. We have added a code-review process on some very old code that hasn't been rewritten for years, to check that there are no other similar issues. We are also trying to see how we can improve communication with clients for this kind of incident, knowing that 2 of the 3 customers are actually customers of our affiliates/branches.
TL;DR : Yes, we had a security vulnerability allowing a password change using some complex brute-force procedure. We advise all clients running critical services to limit access to the manager from some IP only. Yes, 3 clients of the bitcoin community have been impacted by this security flaw. It is very important to read the emails that ovh sends automatically, especially the notification of password change emails, when they aren't initiated by you. If you see a request for a password change that you haven't initiated, you should call our incident support 24/24 which will block your account until everything is clear. No, our clients database hasn't been compromised. No, there was no impact on other clients than these 3.
We are deeply sorry for the three customers that have been impacted, and invite them to contact our commercial team (in french).
Regards Octave
At least they admitted it.
Yes, but the fact that they "accidently" decided to check the function and the logs just 3-4 days after the compromises sounds a little odd. They should probably also buy a lottery ticket.
Thank you, @kryps @nickvanw
If you are running a project such as that, why would you even consider hosting it with OVH?
It's cheap!!!!!!!!!!! Cheap = BETTER!!!!!!
This. And also, now moving to servers controlled by US gov't ??? This is insane and they are asking for trouble.
a locked half/fullrack in a secure DC (or, as he is in CZ, probably even possible at his home) and the problem would be solved...
Some folks point at the providers, this guy sounds like a typical LEB/LET user looking to go the cheapest route
Well, I'm glad we can agree on one thing at least. If he seriously goes to Amazon Web Services after all of this crap, its his own damn fault. Even if it is Amazon's fault... its his fault as well for refusing to own his own hardware.
Well, not owning the hardware is in some cases desired, i.e. when there is a chance that some government agency might want to seize the hardware.
Ok, Why OVH is responsible for this?
You are responsible for your server security then why OVH is responsible for hacking?
Are you serious right now? The vulnerability was in OVH's password reset system, it had nothing to do with the security of the server or lack of.
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
Hahaha, you just made my day
Someone put a lot of effort into it and made not much profit, so i guess you can call it failed
How bout as a first step you stop releasing your 'announcements' in French only so non-french speaking customers can actually read your announcements. No offense, but most of the tech industry speaks and writes English (even if it is a second language). Also in my experience French doesn't translate that well in Google translate.
/rant
This. I've noticed its mostly a French thing (Online.net etc)
I believe there is some law in France for protecting the language that says they must use French. Which shouldn't be stopping them from translating it to English and posting both versions i think.
http://en.wikipedia.org/wiki/Toubon_Law
http://forum.ovh.co.uk/showthread.php?p=45669#post45669
LOL
Use Google Chrome Translate on these, they're funny. They really go overboard with trying to protect their dying language.
http://fr.wikipedia.org/wiki/Prix_de_la_carpette_anglaise
http://fr.wikipedia.org/wiki/Défense_de_la_langue_française
http://fr.wikipedia.org/wiki/Avenir_de_la_langue_française