Posted on April 25, 2017 at 1:04 PM
A new vulnerability was discovered in a software library that’s being used by a HipChat.com service, and these system flaws have given hackers access to many private conversations between the service’s customers, as well as their account information.
The spokesperson for the HipChat.com service has stated this Monday that a security breach occurred and that the server that’s powering the entire cloud-hosted chat service was the target of the attack. During the breach, some of the user’s data was stolen, and this includes names, hashed passwords and email addresses, as well as several conversations between the app users.
The company has decided not to unveil how exactly were the service’s passwords hashed but has stated that a complete reset was done, just in case that the encryption was broken. They also stated that all of the affected users will be notified via email.
Ganesh Krishnan, their chief security officer has stated that “As a precaution, we have invalidated passwords on all HipChat-connected user accounts and sent those users instructions on how to reset their passwords.” Those who use the HipChat.com service and did not receive an email with a similar explanation shouldn’t worry since that probably means that they weren’t affected by the cyber-attack.
The details of the attack, for example, which programming blunder was exploited by the hacker or hackers in order to gain access to the cloud server, are still unknown to everyone, since HipChat didn’t want to give up on that information. All that they have stated concerning the attack is that this incident involved an apparently popular library owned by a third party, and used by HipChat.com.
When asked about this, Krishnan has admitted that HipChat Server uses third-party libraries, but this is mostly organized in a way that minimizes the risks of having this type of attack occurred. Another piece of information that he has shared so far is that an update is being prepared and that it will be available to all of HipChat’s customers. It will even be shared with them directly, through the use of a standard update channel.
Further investigation has uncovered a recent security fix for one of the third-party libraries used by the Atlassian products, and the update was apparently a major one. This fix, named Struts 2 was patched in a way that will erase any remote-code execution vulnerabilities that have a potential of being exploited in the wild. The flaw was rated as ‘critical’, and the bug was found in HipChat.
With this in mind, one of the theories about the hack was that one of HipChat’s cloud boxes, that’s obviously running an infected HipChat Server, got pwned by criminals that wanted to exploit Struts 2.
Krishnan has declared that there’s no evidence of the attacker having access to anything related to their user’s finances, despite the fact that conversations themselves may have been accessed.