» Search forum


Index :: News :: 2008-06-23: BAM! - Limited number of BAM! user accounts compromised (357210)


Pages: [1]
[BOINCstats] Willy
 
Forum moderator - Administrator - Developer - Tester - Translator
BAM!ID: 1
Joined: 2006-01-09
Posts: 9442
Credits: 353,172,950
World-rank: 4,892

2008-06-23 21:44:55

Comments on the following newsitem
A hacker has succeeded in retrieving limited information from a few members of BAM!. The members that are affected have received an email.<br><br>
The hacker in question reported the exploit himself and stated that he wouldn't abuse the information. Yet I urge the once affected to at least change their password.<br><br>
I'm sorry for the inconvenience. At least it put me back into the real world, and I'll check all of BOINCstats for further exploits.
http://boincstats.com/page/project_news.php?pr=bam#357210
[BOINCstats] Willy
 
Forum moderator - Administrator - Developer - Tester - Translator
BAM!ID: 1
Joined: 2006-01-09
Posts: 9442
Credits: 353,172,950
World-rank: 4,892

2008-06-23 21:48:40
last modified: 2008-06-23 22:02:41

More information on this:


    * If you change your password, offline projects will not be updated. You have to change these manually at a later time
    * Your CPID (and thus your stats) should not change
    * Yes, it was stupid bug on my end
    * Yes, I learned from it
    * I did a test on all pages I could think of and couldn't find another exploitable page (though we'll probably never be save from hackers)
    * If you have hosts attached to BOINC with really old client versions (4.x) you need to change the password on those hosts as well.

Please do not PM, IM or email me for support (they will go unread/ignored). Use the forum for support.
student_
    Donator
BAM!ID: 73
Joined: 2006-05-10
Posts: 47
Credits: 5,150,513
World-rank: 84,601

2008-06-23 21:49:17

What kind of information was retrieved?
[BOINCstats] Willy
 
Forum moderator - Administrator - Developer - Tester - Translator
BAM!ID: 1
Joined: 2006-01-09
Posts: 9442
Credits: 353,172,950
World-rank: 4,892

2008-06-23 21:54:31

Basically he had access to all fields in the user table but the page truncated the output. Most fields do not contain usable information for a third party but email address and password related information is in there.
Please do not PM, IM or email me for support (they will go unread/ignored). Use the forum for support.
Gerry Rough
 
BAM!ID: 713
Joined: 2006-05-25
Posts: 226
Credits: 6,726,654
World-rank: 71,489

2008-06-23 23:23:20

Cool beans Willy. The best way to handle stuff like this is openness. It is certain that had you even thought about trying to keep this under wraps to limit the damage, it may have had dramatic results. Your confidence in Boincstats users is welcome.

(Click for detailed stats)
Dr Who Fan
BAM!ID: 1075
Joined: 2006-05-31
Posts: 964
Credits: 156,309,174
World-rank: 8,531

2008-06-26 03:33:02

Thank you for being honest, open and posting about the 'exploit'. Your site is still the best for stats and project news!

Pages: [1]

Index :: News :: 2008-06-23: BAM! - Limited number of BAM! user accounts compromised (357210)
Reason: