As reported previously, a number of digital certificates were obtained by deception from Comodo that could have resulted in the hijacking of a number of major websites such as lgin.skype.com, mail.google.com, login.live.com and other popular websites.
It now appears that the hacker – who calls him/herself Comodohacker – has posted a series of messages on the Pastebin.com portal, both describing how the hack was carried out and several details that experts are saying appear genuine.
Infosecurity understands that Comodohacker has claimed that GlobalTrust.it and InstantSSL.it, the Italian registration authorities, as potential weak links in the authentication process. This is in keeping with Comodo's claims in the last week that it was a southern European company that was central to the hack.
According to Sophos Canada's senior security advisor Chester Wisniewski, while investigating how s/he might compromise a certificate authority (CA), the hacker stumbled upon InstantSSL.it and their use of a DLL on their site to submit Certificate Signing Requests (CSRs) for immediate signing by the CA.
"Upon disassembling this DLL, he discovered a plain text username and password used as part of the CSR submission process, allowing him to submit any CSR he wished to be signed by Comodo and instantly retrieve the signed certificate", says Wisniewski in his latest security blog.
"Initially it was unclear if this guy was for real, and of course it is still impossible to tell. He did post some of the source from TrustDLL.dll to Pastebin, including the parts used for authentication that stored the unencrypted password", he adds.
The Sophos researcher went on to say that, once again we come back to insecure passwords and password handling techniques.
Fortunately, he notes, the impact of this incident is quite small and may be a wake-up call for the certificate industry as a whole.
But, adds Wisniewski, there is still a shroud of mystery surrounding the whole affair because, if it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world?
"[Comodohacker's] ramblings certainly show his support for Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government", he said.