Open source WineHQ database breached
Emails, passwords of AppDB, Bugzilla users stolen
Computerworld - For the second time in two months, a major open-source project has been breached. This time, the victim is the WineHQ project, which manages Wine, an open-source technology that lets users install and run Windows applications on Linux, Mac, Solaris and other operating systems.
WineHQ earlier this week disclosed that someone had managed to break into one of its database systems and gain access to an open-source PHP tool that allows remote management of databases.
In a note announcing the flaw, Wine developer Jeremy White said it's unclear how the intruder was able to gain unauthorized access to the PHP utility. "It was either by compromising an admin's credentials, or by exploiting an unpatched vulnerability in phpmyadmin," White wrote.
White is also the founder and CEO of Codeweavers, a company that sponsors the Wine project.
WineHQ had "reluctantly" decided to allow application developers to remotely access the PHP utility because it is "a very handy tool, and something they very much wanted," White said. "But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient."
According to White, there appears to be no immediate evidence of harm to any databases, though it would have been relatively easy for malicious hackers to cause damage.
However, the attackers managed to harvest all the login information of users of the Wine Application Database (AppDB) and Bugzilla, the WineHQ bug tracking system, White added. "This means that they have all of [the email addresses], as well as the passwords," of AppDB and Bugzilla users, he said.
"The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked," White said. "This, I'm afraid, is a serious threat; it means that anyone who uses the same email/password on other systems is now vulnerable to a malicious attacker using that information to access their account."
WineHQ is resetting the passwords of all affected users, he added.
WineHQ is the second open-source project to be breached in the past two months. In August, hackers broke into Kernel.org, the home of the Linux project, and gained administrative access to several servers within the Kernel.org infrastructure.
That breach led to a subsequent breach that resulted in several websites, including Linux.com and LinuxFoundation.org, being pulled offline in September.
WineHQ is hosted on SourceForge, an open-source software development site that hosts more than 260,000 open-source projects. SourceForge itself was hacked in January in an attack that some believe might have been intended to corrupt projects hosted on the site. It wasn't immediately clear if this week's WineHQ breach was related in any way to the attack on SourceForge. White did not immediately respond to a request for comment.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts