Hello, we’ve recently setup a Discourse forum with SSO.
Now one of our users claims to be a hacker and I believe it’s actually legit.
He has given me screenshots of the user database which matches exactly with the Discourse database.
So he has emails from all our users and ip addresses.
The reason it must be from Discourse is because our own database stores different IP addresses and doesn’t have flag_level.
I’d like to get in contact with a developer or someone experienced so that the security issues can be resolved.
It really shouldn’t be possible for anyone to hack into the forum to access private data from all users.
The image on the right is the one the hacker sent us and the one on the left is from the data explorer on our site. (we just installed that to find out of it came from the forum it wasn’t installed before)
I blurred most of it but as you can see the stuff that isn’t blurred matches with the forum.
– screenshot removed (no longer relevant) –
It’s either the forum itself or SSO but there’s obviously a security breach and I really hope an expert can contact me so that it can be resolved.
We only have 3 admins from which 2 haven’t really done anything on the forum and the other is me.
And the system user too.
But I can’t find anything in the logs that I haven’t done it’s mostly customization actions.
I also exported the log and searched for ‘export’ or anything like that and no results at all.
The data the hacker has provided seems to be live data because all the IP’s match exactly with the ones logged in Discourse.
I just checked and we only log the creation of new backups as “backup operation”. If you have existing scheduled backups in /admin/backups, simply downloading a backup from there is not explicitly logged. But it is only possible by an admin, for sure.
The log for the download would be in your nginx logs, of course.
(cc @zogstrip I think db downloads should be forced through a redirect link so we can log them.)
I notice that the site does not use HTTPS. If you ever access your forum via an unencrypted Wifi network, anybody near you may read your session token and/or read the login data of the SSO site, if it doesn’t use HTTPS either (which it doesn’t).
PS: Actually, your site redirects from HTTPS to HTTP:
Only me and a few other developers could know the key.
The SSO page needs to know the key too obviously but I doubt that anyone could find the key on our SSO page.
I posted my SSO page above, do you see anything wrong with that?
I assume if there would be an issue with SSO it would be within the authentication itself and not the SSO page.
We haven’t really been able to find anything we spit through a lot of stuff to find out how the hacker got the private data.
And then we checked the forum and found the data match.
But now we have to figure out how he got the data from the forum obviously.
Yeah we had to do that for our main site because it’s for a game which uses websockets and quite a lot of people were experiencing issues when we used https for websockets.
Alright, sorry for the trouble guys.
Managed to talk some more to the hacker and he has given me all information how he did everything.
And it turns out he managed to get the password of one of the other admins and download the backup with that account.
It’d be nice if you can add it to the logs so it’s easier to detect this kind of stuff.
Maybe even put a option to send notification to all admins if a backup is being downloaded.
We have some logging, system user will notify user that it created the backup. You can look at those messages. But … there is no logging each time a backup is downloaded.
We should expand the backups page to display IP address, time and admin name whenever any backup is download.
Additionally I feel we should be somewhat more restrictive with admin accounts, when admins login from a new IP we should send an email to said admin notifying them that a new IP accessed the account. This would at least alert us much much earlier of stuff like this. In a hyper secure mode each new IP should be vetted.