[jitsi-users] jit.si comporomised! Passwords potentially exposed! Reset ASAP!


#1

Dear jit.si users,

We have discovered that the servers running the XMPP jit.si service have been compromised, including the Openfire user databases. We also discovered that Openfire stores password hashes in a way that makes it very straightforward to retrieve the original password from the hash (thanks to Ingo Bauersachs for investigating and getting to the bottom of this). This means that the password that you are using to log into jit.si could have been exposed to the attacker, so please RESET IT AS SOON AS POSSIBLE!

Here’s how you can do this: https://jitsi.org/passwd-rst

What does this mean exactly?

Calls on jit.si that were protected with ZRTP and chat sessions that were protected with OTR *are safe*. That’s the whole point of using end-to-end encryption and why we care so much about it in Jitsi.

The bad news is that:

* the attackers may know your passwords so please change it ASAP wherever you are using it
* the attackers may know the content of your roster

What did we do to address the situation?

In the short term we have just moved Openfire to a new location that hasn’t been compromised. You might have experienced connectivity problems as a result today.

In the longer term we would either be moving to another authentication backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to confirm the Jingle Nodes situation there).

We’ll keep everyone posted on our mailing lists.

Questions are welcome at: users@jitsi.org

Emil

···

--
https://jitsi.org


#2

Hi Emil,

Thank you for quickly recovering from this and being upfront about the
problem. Password has been updated and I'm connected again!

Regards,
Jungle

···

On 26 November 2013 05:29, Emil Ivov <emcho@jitsi.org> wrote:

Dear jit.si users,

We have discovered that the servers running the XMPP jit.si service have
been compromised, including the Openfire user databases. We also discovered
that Openfire stores password hashes in a way that makes it very
straightforward to retrieve the original password from the hash (thanks to
Ingo Bauersachs for investigating and getting to the bottom of this). This
means that the password that you are using to log into jit.si could have
been exposed to the attacker, so please RESET IT AS SOON AS POSSIBLE!

Here’s how you can do this: https://jitsi.org/passwd-rst

What does this mean exactly?

Calls on jit.si that were protected with ZRTP and chat sessions that were
protected with OTR *are safe*. That’s the whole point of using end-to-end
encryption and why we care so much about it in Jitsi.

The bad news is that:

* the attackers may know your passwords so please change it ASAP wherever
you are using it
* the attackers may know the content of your roster

What did we do to address the situation?

In the short term we have just moved Openfire to a new location that
hasn’t been compromised. You might have experienced connectivity problems
as a result today.

In the longer term we would either be moving to another authentication
backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to
confirm the Jingle Nodes situation there).

We’ll keep everyone posted on our mailing lists.

Questions are welcome at: users@jitsi.org

Emil

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
-------
inum: 883510009902611
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si


#3

Thanks guys! Have you filed a ticket with igniterealtime?

···

On Nov 26, 2013, at 8:31 AM, Emil Ivov <emcho@jitsi.org> wrote:

Dear jit.si users,

We have discovered that the servers running the XMPP jit.si service have been compromised, including the Openfire user databases. We also discovered that Openfire stores password hashes in a way that makes it very straightforward to retrieve the original password from the hash (thanks to Ingo Bauersachs for investigating and getting to the bottom of this). This means that the password that you are using to log into jit.si could have been exposed to the attacker, so please RESET IT AS SOON AS POSSIBLE!

Here’s how you can do this: https://jitsi.org/passwd-rst

What does this mean exactly?

Calls on jit.si that were protected with ZRTP and chat sessions that were protected with OTR *are safe*. That’s the whole point of using end-to-end encryption and why we care so much about it in Jitsi.

The bad news is that:

* the attackers may know your passwords so please change it ASAP wherever you are using it
* the attackers may know the content of your roster

What did we do to address the situation?

In the short term we have just moved Openfire to a new location that hasn’t been compromised. You might have experienced connectivity problems as a result today.

In the longer term we would either be moving to another authentication backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to confirm the Jingle Nodes situation there).

We’ll keep everyone posted on our mailing lists.

Questions are welcome at: users@jitsi.org

Emil

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#4

Hi,

This means that the password that you are using
to log into jit.si could have been exposed to the attacker, so
please RESET IT AS SOON AS POSSIBLE!

Here’s how you can do this: https://jitsi.org/passwd-rst

VERY IMPORTANT:

If, for some stupid reason, you have used the same password for your
e-mail account, then change it there *before* resetting your Jit.si
password *and* du a careful check of your e-mail account, to find any
configuration changes regarding forwarding, etc. Also, if your provider
has IMAP access, make sure all remaining IMAP connections are closed
(maybe by timing out).

-nik

···

--
# apt-assassinate --help
Usage: apt-assassinate [upstream|maintainer] <package>

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#5

Thanks guys! Have you filed a ticket with igniterealtime?

Well, there's already this:
     http://community.igniterealtime.org/thread/50526

Emil

···

On 26.11.13, 14:44, Matt Brown wrote:

On Nov 26, 2013, at 8:31 AM, Emil Ivov <emcho@jitsi.org> wrote:

Dear jit.si users,

We have discovered that the servers running the XMPP jit.si service have been compromised, including the Openfire user databases. We also discovered that Openfire stores password hashes in a way that makes it very straightforward to retrieve the original password from the hash (thanks to Ingo Bauersachs for investigating and getting to the bottom of this). This means that the password that you are using to log into jit.si could have been exposed to the attacker, so please RESET IT AS SOON AS POSSIBLE!

Here’s how you can do this: https://jitsi.org/passwd-rst

What does this mean exactly?

Calls on jit.si that were protected with ZRTP and chat sessions that were protected with OTR *are safe*. That’s the whole point of using end-to-end encryption and why we care so much about it in Jitsi.

The bad news is that:

* the attackers may know your passwords so please change it ASAP wherever you are using it
* the attackers may know the content of your roster

What did we do to address the situation?

In the short term we have just moved Openfire to a new location that hasn’t been compromised. You might have experienced connectivity problems as a result today.

In the longer term we would either be moving to another authentication backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to confirm the Jingle Nodes situation there).

We’ll keep everyone posted on our mailing lists.

Questions are welcome at: users@jitsi.org

Emil

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
https://jitsi.org


#6

Oh thanks for the notification...

In the short term we have just moved Openfire to a new location that
hasn’t been compromised.

Does that mean the server has been compromised physically?
(Or do you mean something virtual by "location"?)

Best,
Tim


#7

I edited the instructions for resetting passwords to hopefully make it
clearer. It is now in the step-by-step format.
https://jitsi.org/Documentation/FAQ#passwd-rst

One question: I changed the first step to read "Tools > Options" (to
match what I see on Windows). Is it safe to assume that the menu items
are the same on every platform? The original instructions said something
like "Edit preferences".

David

···

On 11/26/2013 7:29 AM, Emil Ivov wrote:

Dear jit.si users,

We have discovered that the servers running the XMPP jit.si service
have been compromised, including the Openfire user databases. We also
discovered that Openfire stores password hashes in a way that makes it
very straightforward to retrieve the original password from the hash
(thanks to Ingo Bauersachs for investigating and getting to the bottom
of this). This means that the password that you are using to log into
jit.si could have been exposed to the attacker, so please RESET IT AS
SOON AS POSSIBLE!

Here�s how you can do this: https://jitsi.org/passwd-rst

What does this mean exactly?

Calls on jit.si that were protected with ZRTP and chat sessions that
were protected with OTR *are safe*. That�s the whole point of using
end-to-end encryption and why we care so much about it in Jitsi.

The bad news is that:

* the attackers may know your passwords so please change it ASAP
wherever you are using it
* the attackers may know the content of your roster

What did we do to address the situation?

In the short term we have just moved Openfire to a new location that
hasn�t been compromised. You might have experienced connectivity
problems as a result today.

In the longer term we would either be moving to another authentication
backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to
confirm the Jingle Nodes situation there).

We�ll keep everyone posted on our mailing lists.

Questions are welcome at: users@jitsi.org

Emil


#8

Thanks for the advice.

Its been a while since I used my jit.si account and to be honest I've
forgotten my username.

Ive tried guessing on the 'reset password' page but to no avail. Is there
anyway to find what account is registered to my email address?

Many Thanks,
Phil

···

On 26 November 2013 08:58, Dominik George <nik@naturalnet.de> wrote:

Hi,

> This means that the password that you are using
> to log into jit.si could have been exposed to the attacker, so
> please RESET IT AS SOON AS POSSIBLE!
>
> Here’s how you can do this: https://jitsi.org/passwd-rst

VERY IMPORTANT:

If, for some stupid reason, you have used the same password for your
e-mail account, then change it there *before* resetting your Jit.si
password *and* du a careful check of your e-mail account, to find any
configuration changes regarding forwarding, etc. Also, if your provider
has IMAP access, make sure all remaining IMAP connections are closed
(maybe by timing out).

-nik

--
# apt-assassinate --help
Usage: apt-assassinate [upstream|maintainer] <package>

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296

_______________________________________________
announce mailing list
announce@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/announce


#9

"location" was meant as a "server".

Sorry for the poor choice of words.

Emil

···

On 26.11.13, 17:54, Tim Ruffing wrote:

Oh thanks for the notification...

In the short term we have just moved Openfire to a new location that
hasn’t been compromised.

Does that mean the server has been compromised physically?
(Or do you mean something virtual by "location"?)

--
https://jitsi.org


#10

Is it safe to assume that the menu items are the same on every platform?

It's not the same on every platform, but such instructions usually go like this:
"Do this and this for Windows. Mac and Linux users should know how to do it"
:smiley:

Pavel Tankov

···

On 28.ноем..2013, at 03:59, David Bolton wrote:

I edited the instructions for resetting passwords to hopefully make it
clearer. It is now in the step-by-step format.
https://jitsi.org/Documentation/FAQ#passwd-rst

One question: I changed the first step to read "Tools > Options" (to
match what I see on Windows). Is it safe to assume that the menu items
are the same on every platform? The original instructions said something
like "Edit preferences".

David

On 11/26/2013 7:29 AM, Emil Ivov wrote:

Dear jit.si users,

We have discovered that the servers running the XMPP jit.si service
have been compromised, including the Openfire user databases. We also
discovered that Openfire stores password hashes in a way that makes it
very straightforward to retrieve the original password from the hash
(thanks to Ingo Bauersachs for investigating and getting to the bottom
of this). This means that the password that you are using to log into
jit.si could have been exposed to the attacker, so please RESET IT AS
SOON AS POSSIBLE!

Here’s how you can do this: https://jitsi.org/passwd-rst

What does this mean exactly?

Calls on jit.si that were protected with ZRTP and chat sessions that
were protected with OTR *are safe*. That’s the whole point of using
end-to-end encryption and why we care so much about it in Jitsi.

The bad news is that:

* the attackers may know your passwords so please change it ASAP
wherever you are using it
* the attackers may know the content of your roster

What did we do to address the situation?

In the short term we have just moved Openfire to a new location that
hasn’t been compromised. You might have experienced connectivity
problems as a result today.

In the longer term we would either be moving to another authentication
backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to
confirm the Jingle Nodes situation there).

We’ll keep everyone posted on our mailing lists.

Questions are welcome at: users@jitsi.org

Emil

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#11

I edited the instructions for resetting passwords to hopefully make it
clearer. It is now in the step-by-step format.
https://jitsi.org/Documentation/FAQ#passwd-rst

Lovely! :slight_smile:

Thanks a lot David!

One question: I changed the first step to read "Tools > Options" (to
match what I see on Windows). Is it safe to assume that the menu items
are the same on every platform? The original instructions said something
like "Edit preferences".

Yeah, I had been intentionally vague there. OS X Does not have "Options" in "Tools" because such menus are traditionally elsewhere there.

Shot attached.
Emil

···

On 28.11.13, 02:59, David Bolton wrote:

David

On 11/26/2013 7:29 AM, Emil Ivov wrote:

Dear jit.si users,

We have discovered that the servers running the XMPP jit.si service
have been compromised, including the Openfire user databases. We also
discovered that Openfire stores password hashes in a way that makes it
very straightforward to retrieve the original password from the hash
(thanks to Ingo Bauersachs for investigating and getting to the bottom
of this). This means that the password that you are using to log into
jit.si could have been exposed to the attacker, so please RESET IT AS
SOON AS POSSIBLE!

Here’s how you can do this: https://jitsi.org/passwd-rst

What does this mean exactly?

Calls on jit.si that were protected with ZRTP and chat sessions that
were protected with OTR *are safe*. That’s the whole point of using
end-to-end encryption and why we care so much about it in Jitsi.

The bad news is that:

* the attackers may know your passwords so please change it ASAP
wherever you are using it
* the attackers may know the content of your roster

What did we do to address the situation?

In the short term we have just moved Openfire to a new location that
hasn’t been compromised. You might have experienced connectivity
problems as a result today.

In the longer term we would either be moving to another authentication
backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to
confirm the Jingle Nodes situation there).

We’ll keep everyone posted on our mailing lists.

Questions are welcome at: users@jitsi.org

Emil

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.

--
https://jitsi.org


#12

Contact me privately and we'll try to figure something out.

···

On 26.11.13, 21:04, Philip Chapman wrote:

Thanks for the advice.

Its been a while since I used my jit.si <http://jit.si> account and to
be honest I've forgotten my username.

Ive tried guessing on the 'reset password' page but to no avail. Is
there anyway to find what account is registered to my email address?

Many Thanks,
Phil

On 26 November 2013 08:58, Dominik George <nik@naturalnet.de > <mailto:nik@naturalnet.de>> wrote:

    Hi,

     > This means that the password that you are using
     > to log into jit.si <http://jit.si> could have been exposed to the
    attacker, so
     > please RESET IT AS SOON AS POSSIBLE!
     >
     > Here’s how you can do this: https://jitsi.org/passwd-rst

    VERY IMPORTANT:

    If, for some stupid reason, you have used the same password for your
    e-mail account, then change it there *before* resetting your Jit.si
    password *and* du a careful check of your e-mail account, to find any
    configuration changes regarding forwarding, etc. Also, if your provider
    has IMAP access, make sure all remaining IMAP connections are closed
    (maybe by timing out).

    -nik

    --
    # apt-assassinate --help
    Usage: apt-assassinate [upstream|maintainer] <package>

    PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296

    _______________________________________________
    announce mailing list
    announce@jitsi.org <mailto:announce@jitsi.org>
    Unsubscribe instructions and other list options:
    http://lists.jitsi.org/mailman/listinfo/announce

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
https://jitsi.org


#13

Thanks Emil. I added alternate instructions for Mac OS on step 1:
https://jitsi.org/Documentation/FAQ#passwd-rst

David

···

On 11/28/2013 3:46 AM, Emil Ivov wrote:

One question: I changed the first step to read "Tools > Options" (to
match what I see on Windows). Is it safe to assume that the menu items
are the same on every platform? The original instructions said something
like "Edit preferences".

Yeah, I had been intentionally vague there. OS X Does not have
"Options" in "Tools" because such menus are traditionally elsewhere
there.

Shot attached.
Emil


#14

Translations are an additional difficulty, but screenshots help there.

Regards,
Philipp

···

On Thu, 28 Nov 2013 10:46:35 +0100 Emil Ivov <emcho@jitsi.org> wrote:

On 28.11.13, 02:59, David Bolton wrote:
> I edited the instructions for resetting passwords to hopefully make
> it clearer. It is now in the step-by-step format.
> https://jitsi.org/Documentation/FAQ#passwd-rst

Lovely! :slight_smile:

Thanks a lot David!

> One question: I changed the first step to read "Tools > Options" (to
> match what I see on Windows). Is it safe to assume that the menu
> items are the same on every platform? The original instructions
> said something like "Edit preferences".

Yeah, I had been intentionally vague there. OS X Does not have
"Options" in "Tools" because such menus are traditionally elsewhere
there.

Shot attached.
Emil


#15

Perfect. Thanks (form a OS X user).

···

Am 28.11.2013 um 17:57 schrieb David Bolton <davidkbolton@gmail.com>:

On 11/28/2013 3:46 AM, Emil Ivov wrote:

One question: I changed the first step to read "Tools > Options" (to
match what I see on Windows). Is it safe to assume that the menu items
are the same on every platform? The original instructions said something
like "Edit preferences".

Yeah, I had been intentionally vague there. OS X Does not have
"Options" in "Tools" because such menus are traditionally elsewhere
there.

Shot attached.
Emil

Thanks Emil. I added alternate instructions for Mac OS on step 1:
https://jitsi.org/Documentation/FAQ#passwd-rst

David

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev