August 2016 Incident (opens in new tab)

(onelogin.com)

36 pointsmarcins9y ago19 comments

19 comments

16 comments · 6 top-level

tinco9y ago· 6 in thread

So.. they send data to their servers unencrypted? That's a serious design flaw right there. That they do any encryption (besides HTTPS) server side should be a red flag for any secrets store.

cheeze9y ago

Agreed 100%. With something like LastPass, they never actually have your enencrypted data at any point. So a logging bug (probably somebody logging the payload, etc. accidentally) wouldn't matter.

This is really concerning for a company that offers IAM as a service. IMO this is straight up incompetence.

hrez9y ago

Here are recent LastPass vulnerabilities: http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pw... https://labs.detectify.com/2016/07/27/how-i-made-lastpass-gi...

ams61109y ago

LassPass doesn't have your data as long as you trust their javascript. That's not really very comforting IMO.

1 more reply

runesoerensen9y ago

Seems more likely that they use HTTPS and this is "just" an issue with cleartext logging (i.e. some server component logs unencrypted data after TLS termination).

tomschlick9y ago

I think OP is referring to client side encryption instead of encrypting it on the server for storage.

1 more reply

someguy12349y ago

Yeah, they have to because of how they work. As much as possible they do via SAML, and for that no plaintext is needed. But a lot of their customers want to log in to sites that don't support SAML (it's hard). For those they do form stuffing - naturally that requires plaintext.

Source: worked in the industry at a more security-focused company, had to explain to sales/support a few times why they can support a site but we can't.

voxio9y ago· 3 in thread

I'd love to know which logging server they had exposed to the internet. Putting all infrastructure on a private network is security 101.

cyberferret9y ago

That is my question too - how was an internal logging server not set for restricted login only from the internal subnet?

Also - they mentioned the perp got in via a compromised employee login. No clarification if it was a former disgruntled employee, or that a current employee had a weak password, or was social engineered into divulging it.

In any case, it points to bad internal policies and procedures around isolating servers and employee password management.

guitarbill9y ago

Especially ironic since they do "Identity Management as a Service": https://www.onelogin.com/why-onelogin/strengthen-security

ams61109y ago

If it was a compromised employee login it could have been an indirect path to the log server. E.g. ssh or "Go to My PC" to employee workstation, or log in to company VPN, from there to internal hosts.

Not that employee workstations should have access to production machines ideally, but it is commonplace at small companies (and big ones too).

mattvot9y ago· 1 in thread

Pet peeve of the day.

Tried to right click on the header logo so I can check out their main site in a new tab.

Instead I'm blocked and get prompted to download their brand assets...

Please don't mess with established interactions.

what_ever9y ago

Very interesting. Do they really think that people use right click on the logo to get their logo?

Also, I use Cmd + Click more than right click -> open in new tab.

bsamuels9y ago

> multiple levels of AES-256 encryption.

crypto cringe - this instills just as much confidence as saying "WE USE MILITARY GRADE ENCRYPTION PROTOCOLS"

cyberferret9y ago

IRONIC NEWS FLASH OF THE DAY: OneLogin employees to store their credentials in LastPass to prevent any further compromising of passwords...

wtbob9y ago

This is why one should always, always use client-side encryption. Want to encrypt to the server? Sure, fine, there are good reasons for that interaction to be encrypted. But there are good reasons for one's data to be secured from the server as well.

Any protocol in which a malicious server can do more than deny service is broken.

j / k navigate · click thread line to collapse

19 comments

16 comments · 6 top-level

tinco9y ago· 6 in thread

So.. they send data to their servers unencrypted? That's a serious design flaw right there. That they do any encryption (besides HTTPS) server side should be a red flag for any secrets store.

cheeze9y ago

Agreed 100%. With something like LastPass, they never actually have your enencrypted data at any point. So a logging bug (probably somebody logging the payload, etc. accidentally) wouldn't matter.

This is really concerning for a company that offers IAM as a service. IMO this is straight up incompetence.

hrez9y ago

Here are recent LastPass vulnerabilities: http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pw... https://labs.detectify.com/2016/07/27/how-i-made-lastpass-gi...

ams61109y ago

LassPass doesn't have your data as long as you trust their javascript. That's not really very comforting IMO.

1 more reply

runesoerensen9y ago

Seems more likely that they use HTTPS and this is "just" an issue with cleartext logging (i.e. some server component logs unencrypted data after TLS termination).

tomschlick9y ago

I think OP is referring to client side encryption instead of encrypting it on the server for storage.

1 more reply

someguy12349y ago

Source: worked in the industry at a more security-focused company, had to explain to sales/support a few times why they can support a site but we can't.

voxio9y ago· 3 in thread

I'd love to know which logging server they had exposed to the internet. Putting all infrastructure on a private network is security 101.

cyberferret9y ago

That is my question too - how was an internal logging server not set for restricted login only from the internal subnet?

In any case, it points to bad internal policies and procedures around isolating servers and employee password management.

guitarbill9y ago

Especially ironic since they do "Identity Management as a Service": https://www.onelogin.com/why-onelogin/strengthen-security

ams61109y ago

Not that employee workstations should have access to production machines ideally, but it is commonplace at small companies (and big ones too).

mattvot9y ago· 1 in thread

Pet peeve of the day.

Tried to right click on the header logo so I can check out their main site in a new tab.

Instead I'm blocked and get prompted to download their brand assets...

Please don't mess with established interactions.

what_ever9y ago

Very interesting. Do they really think that people use right click on the logo to get their logo?

Also, I use Cmd + Click more than right click -> open in new tab.

bsamuels9y ago

> multiple levels of AES-256 encryption.

crypto cringe - this instills just as much confidence as saying "WE USE MILITARY GRADE ENCRYPTION PROTOCOLS"

cyberferret9y ago

IRONIC NEWS FLASH OF THE DAY: OneLogin employees to store their credentials in LastPass to prevent any further compromising of passwords...

wtbob9y ago

Any protocol in which a malicious server can do more than deny service is broken.

j / k navigate · click thread line to collapse