An exposed password let a hacker access internal Comodo files

omidomi

Level 71
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet.
The credentials were found in a public GitHub repository owned by a Comodo software developer. With the email address and password in hand, the hacker was able to log into the company’s Microsoft-hosted cloud services. The account was not protected with two-factor authentication.
A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet.
The credentials were found in a public GitHub repository owned by a Comodo software developer. With the email address and password in hand, the hacker was able to log into the company’s Microsoft-hosted cloud services. The account was not protected with two-factor authentication.
Jelle Ursem, a Netherlands-based security researcher who found the credentials, contacted Comodo vice president Rajaswi Das by WhatsApp to secure the account. The password was revoked the following day.
Ursem told TechCrunch that the account allowed him to access internal Comodo files and documents, including sales documents and spreadsheets in the company’s OneDrive — and the company’s organization graph on SharePoint, allowing him to see the team’s biographies, contact information (including phone numbers and email addresses), photos, customer documents, calendars and more.

He also shared several screenshots of folders containing agreements and contracts with several customers — with the names of customers in each filename, such as hospitals and U.S. state governments. Other documents appeared to be Comodo vulnerability reports. Ursem’s cursory review of the data did not turn up any customer certificates private keys, however.
“Seeing as they’re a security company and give out SSL certificates, you’d think that the security of their own environment would come first above all else,” said Ursem. (Comodo has not been an SSL certificate issuer for several years.)
But according to Ursem, he wasn’t the first person to find the exposed email address and password.
“This account has already been hacked by somebody else, who has been sending out spam,” he told TechCrunch. He shared a screenshot of a spam email sent out, purporting to offer tax refunds from the French finance ministry.
We reached out to Comodo for comment prior to publication. A spokesperson said the account was an “automated account used for marketing and transactional purposes,” adding: “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.”
It’s the latest example of exposed corporate passwords found in public GitHub repositories, where developers store code online. All too often developers upload files inadvertently containing private credentials used for internal-only testing. Researchers like Ursem regularly scan repositories for passwords and report them to the companies, often in exchange for bug bounties.
Earlier this year Ursem found a similarly exposed set of internal Asus passwords on an employee’s GitHub public account. Uber was also breached in 2016 after hackers found internal credentials on GitHub.
Updated to correct that Comodo no longer issues SSL certificates.
 

notabot

Level 15
Verified
Oct 31, 2018
703
A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet.
The credentials were found in a public GitHub repository owned by a Comodo software developer. With the email address and password in hand, the hacker was able to log into the company’s Microsoft-hosted cloud services. The account was not protected with two-factor authentication.
A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet.
The credentials were found in a public GitHub repository owned by a Comodo software developer. With the email address and password in hand, the hacker was able to log into the company’s Microsoft-hosted cloud services. The account was not protected with two-factor authentication.
Jelle Ursem, a Netherlands-based security researcher who found the credentials, contacted Comodo vice president Rajaswi Das by WhatsApp to secure the account. The password was revoked the following day.
Ursem told TechCrunch that the account allowed him to access internal Comodo files and documents, including sales documents and spreadsheets in the company’s OneDrive — and the company’s organization graph on SharePoint, allowing him to see the team’s biographies, contact information (including phone numbers and email addresses), photos, customer documents, calendars and more.

He also shared several screenshots of folders containing agreements and contracts with several customers — with the names of customers in each filename, such as hospitals and U.S. state governments. Other documents appeared to be Comodo vulnerability reports. Ursem’s cursory review of the data did not turn up any customer certificates private keys, however.
“Seeing as they’re a security company and give out SSL certificates, you’d think that the security of their own environment would come first above all else,” said Ursem. (Comodo has not been an SSL certificate issuer for several years.)
But according to Ursem, he wasn’t the first person to find the exposed email address and password.
“This account has already been hacked by somebody else, who has been sending out spam,” he told TechCrunch. He shared a screenshot of a spam email sent out, purporting to offer tax refunds from the French finance ministry.
We reached out to Comodo for comment prior to publication. A spokesperson said the account was an “automated account used for marketing and transactional purposes,” adding: “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.”
It’s the latest example of exposed corporate passwords found in public GitHub repositories, where developers store code online. All too often developers upload files inadvertently containing private credentials used for internal-only testing. Researchers like Ursem regularly scan repositories for passwords and report them to the companies, often in exchange for bug bounties.
Earlier this year Ursem found a similarly exposed set of internal Asus passwords on an employee’s GitHub public account. Uber was also breached in 2016 after hackers found internal credentials on GitHub.
Updated to correct that Comodo no longer issues SSL certificates.

I can't believe people commit credentials with github code
and even more so when it's a security company that people are supposed to trust to follow best practices

Honestly, thank God for Windows Defender, it's so good that even if we want to switch to something else, we can take our time and do proper market research and only pick solutions of high quality
 
F

ForgottenSeer 823865

this is just slightly disturbing:emoji_hushed: and I don't think the cruel sister settings would have helped in this sitch :D
that is the whole point, you are safe locally (hopefully :p ) but once things go out of your computer, you are vulnerable as a baby.
I don't even talk about vendors sites being abused and their installer replaced by malicious version...
 
9

93803123

I can't believe people commit credentials with github code
and even more so when it's a security company that people are supposed to trust to follow best practices

Honestly, thank God for Windows Defender, it's so good that even if we want to switch to something else, we can take our time and do proper market research and only pick solutions of high quality

It is well know that GitHub is full of hidden, unknown malicious code. Heck, there was a case where someone had uploaded administrator scripts that turned out to be malicious. It was discovered only after many tens of thousands of downloads. No one ever bothered to audit the scripts.

that is the whole point, you are safe locally (hopefully :p ) but once things go out of your computer, you are vulnerable as a baby.
I don't even talk about vendors sites being abused and their installer replaced by malicious version...

Wah ? I'm aghast. How can that be ? I thought my security settings are transferred to all systems with which I interface. No ? Really ?
 

notabot

Level 15
Verified
Oct 31, 2018
703
It is well know that GitHub is full of hidden, unknown malicious code. Heck, there was a case where someone had uploaded administrator scripts that turned out to be malicious. It was discovered only after many tens of thousands of downloads. No one ever bothered to audit the scripts.



Wah ? I'm aghast. How can that be ? I thought my security settings are transferred to all systems with which I interface. No ? Really ?

It's only recently that Github provides audit tools for dependency security. However, this one was someone committing credentials with their code, for which there is simply no excuse, best practices around passing credentials are known for decades, committing them in the repo is not one of them.
 
  • Like
Reactions: Burrito

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top