Busy Penguin
Is this a security issue?
Would someone who knows about security take a look at this thread on the Joomla! forum and give me an opinion?
Joomla! • View topic - Is this a security problem?
It does not look like it is a Joomla! problem but it might be a Firefox or openSUSE problem. Then again, it might just be my personal ignorance. Consider it Open Source user feedback.
Cordially,
TwoHoot
#1 - openSUSE Leap 15.1; AMD A6-3670; Radeon(tm) HD; 8gb memory; 500 gb HD; KDE 5.12.8
#2 - openSUSE Leap 15.1; Toshiba Satellite L70-A (Dual Boot - Win10); KDE 5.12.8
#3 - openSUSE Leap 15.1; AMD A6-6400K; Radeon HD; 8gb memory; 1tb HD; KDE 5.12.8
Administrator
Re: Is this a security issue?
On Tue, 28 Aug 2012 14:26:04 +0000, TwoHoot wrote:
> It does not look like it is a Joomla! problem but it might be a Firefox
> or openSUSE problem. Then again, it might just be my personal ignorance.
The password stored was stored from your browser or (if you sync your
Firefox browser settings) another system that is synchronized to.
You can scan your machine for rootkits using a tool like chkrootkit.
Jim
--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Global Moderator
Re: Is this a security issue?
There's some sort of security problem there. There is too little information given to be able to know what kind of problem.
My first guess would be that this is a user problem.
If you firefox store your passwords unencrypted, then anyone with access to the disk can potentially find those password. That could even happen if they access the disk by retrieving it from a trash heap after disposal.
If you have firefox store the passwords encrypted, then they cannot be read from the disk. Presumably a keylogger might be able to pick them up, depending on what is being logged. But that would require malicious access to the computer to install a keylogger.
I have participated in a web forum, where the forum managed logins by putting the password into a cookie that was sent every time. Having firefox encrypt the passwords would not help in that case, because the cookie database is stored unencrypted. And, worse still, packet sniffing on the network might be able to pick up passwords that are sent in cookies.
I hope I have illustrated why there isn't enough info in the referenced report.
openSUSE Leap 15.2; KDE Plasma 5.18.5;
Busy Penguin
Re: Is this a security issue?
Thank you very much for the consideration and prompt reply.
The problem is that I am too ignorant to carry on a meaningful dialog with someone who knows and understands security issues. For example, I do not even know what a rootkit is, much less what it means if I find or don't find one after I blindly run chkrootkit. That frustrates experts to the point of anger and distraction. I know from previous experience that I am responsible for my own education and will have to study from books or in class to get to the point where an expert such as yourself can help clear up the finer points.
I will be happy to spend as much time as necessary to give you any information that might help keep openSUSE secure if you will give me explicit instructions. What probably happened is that I left that computer logged on and a visitor took a peek where they didn't belong or logged on to something that interested them while I was making coffee or in the bathroom. Unless you begin to see similar problems cropping up elsewhere, it probably isn't worth the time and effort to look into it.
As a practical matter, I now know the extraneous username and password came from my computer. I deleted all the passwords stored in that machine, changed them and turned off the Remember Password feature. Firefox is not synchronized with anything that I know about.
Remembered passwords sure saves a lot of time when administering and managing content for two Joomla! websites.
Is it reasonably safe to reactivate the Remember Passwords feature and store the new passwords?
Cordially,
TwoHoot
#1 - openSUSE Leap 15.1; AMD A6-3670; Radeon(tm) HD; 8gb memory; 500 gb HD; KDE 5.12.8
#2 - openSUSE Leap 15.1; Toshiba Satellite L70-A (Dual Boot - Win10); KDE 5.12.8
#3 - openSUSE Leap 15.1; AMD A6-6400K; Radeon HD; 8gb memory; 1tb HD; KDE 5.12.8
Busy Penguin
Re: Is this a security issue?
I would only add one thing that seems exceedingly strange to me - The extraneous password only appeared on one computer when the website was accessed from a link on the We*****4u.com website. It never appeared on my local computers when I accessed betterbradynow.org directly.
This makes me think that We*****4u might be probing either knowingly or unknowingly. If so, they were successful. That bothers me.
Cordially,
TwoHoot
#1 - openSUSE Leap 15.1; AMD A6-3670; Radeon(tm) HD; 8gb memory; 500 gb HD; KDE 5.12.8
#2 - openSUSE Leap 15.1; Toshiba Satellite L70-A (Dual Boot - Win10); KDE 5.12.8
#3 - openSUSE Leap 15.1; AMD A6-6400K; Radeon HD; 8gb memory; 1tb HD; KDE 5.12.8
Administrator
Re: Is this a security issue?
On Tue, 28 Aug 2012 16:46:02 +0000, TwoHoot wrote:
> The problem is that I am too ignorant to carry on a meaningful dialog
> with someone who knows and understands security issues. For example, I
> do not even know what a rootkit is, much less what it means if I find or
> don't find one after I blindly run chkrootkit.
"rootkit" is a type of software package that elevates privileges to
'root' (hence the name), usually without the user's explicit knowledge
(though the user usually does something to cause it to be installed).
> Is it reasonably safe to reactivate the Remember Passwords feature and
> store the new passwords?
That's an individual's decision - but I've used this feature for years
and never had a problem with it.
Jim
--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Administrator
Re: Is this a security issue?
On Tue, 28 Aug 2012 16:56:02 +0000, TwoHoot wrote:
> I would only add one thing that seems exceedingly strange to me - The
> extraneous password only appeared on one computer when the website was
> _accessed_from_a_link_ on the We*****4u.com website. It never appeared
> on my local computers when I accessed betterbradynow.org directly.
>
> This makes me think that We*****4u might be probing either knowingly or
> unknowingly. If so, they were successful. That bothers me.
Your browser would've prompted you to save the password, though.
Jim
--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Busy Penguin
Re: Is this a security issue?
The log in form was pre-filled in when the page opened via the link on we*****4u. The filled-in login form only appeared on one computer and only arrived filled in when accessed from one outside link. Accessed in any other way, the login form always arrives blank (so I can log into the websites I maintain at different levels of permission to make sure the right people can and can't see the things they are supposed to see or not see).
I did not save it or check the remember me box. Clicking the Log In button led to an error page. I did not even know there was such a username on my computer until I checked. Then I found it had been there for almost a month.
If you are satisfied that this is not important in the big picture, I will just drop it and go back to work.
I sincerely appreciate your consideration, time and prompt replies. Thank you for setting my mind to rest.
Cordially,
TwoHoot
#1 - openSUSE Leap 15.1; AMD A6-3670; Radeon(tm) HD; 8gb memory; 500 gb HD; KDE 5.12.8
#2 - openSUSE Leap 15.1; Toshiba Satellite L70-A (Dual Boot - Win10); KDE 5.12.8
#3 - openSUSE Leap 15.1; AMD A6-6400K; Radeon HD; 8gb memory; 1tb HD; KDE 5.12.8
Administrator
Re: Is this a security issue?
On Tue, 28 Aug 2012 18:56:03 +0000, TwoHoot wrote:
> The__log_in_form_was_pre-filled_in_when_the_page_opened_ via the link on
> we*****4u. The filled-in login form only appeared on one computer and
> only arrived filled in when accessed from one outside link. Accessed in
> any other way, the login form always arrives blank (so I can log into
> the websites I maintain at different levels of permission to make sure
> the right people can and can't see the things they are supposed to see
> or not see).
With a password field, the only way that it would be pre-populated by the
browser is with a saved password. Since you found the user ID and
password in the saved passwords settings, at some point in that browser
or another one that has its settings sync'ed, it would have been
necessary to tell the browser to save the password.
The password store is generally encrypted (I checked my own FF
installation, and it's a sqlite database that's encrypted), so AFAIK only
FF can actually change that file.
I don't think you have anything to worry about - the odds are probably
that you inadvertently saved it at some point and just forgot that you
had. I do that sort of thing on occasion myself.
Jim
--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Administrator
Re: Is this a security issue?
On Tue, 28 Aug 2012 18:56:03 +0000, TwoHoot wrote:
> The__log_in_form_was_pre-filled_in_when_the_page_opened_ via the link on
> we*****4u.
Just thinking about this a bit more - if you disable javascript in the
browser, does the form get prepopulated?
Jim
--
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Posting Permissions
Bookmarks