Share

Related Stories

Top 5 Stories

News

Lone Iranian hacker claims credit for Comodo digital certificate hack

29 March 2011

Reports are coming in that an independent Iranian hacktivist – portraying himself as a patriot – is claiming credit for the hack of a range of major site certificates from Comodo.

As reported previously, a number of digital certificates were obtained by deception from Comodo that could have resulted in the hijacking of a number of major websites such as lgin.skype.com, mail.google.com, login.live.com and other popular websites.

It now appears that the hacker – who calls him/herself Comodohacker – has posted a series of messages on the Pastebin.com portal, both describing how the hack was carried out and several details that experts are saying appear genuine.

Infosecurity understands that Comodohacker has claimed that GlobalTrust.it and InstantSSL.it, the Italian registration authorities, as potential weak links in the authentication process. This is in keeping with Comodo's claims in the last week that it was a southern European company that was central to the hack.

According to Sophos Canada's senior security advisor Chester Wisniewski, while investigating how s/he might compromise a certificate authority (CA), the hacker stumbled upon InstantSSL.it and their use of a DLL on their site to submit Certificate Signing Requests (CSRs) for immediate signing by the CA.

"Upon disassembling this DLL, he discovered a plain text username and password used as part of the CSR submission process, allowing him to submit any CSR he wished to be signed by Comodo and instantly retrieve the signed certificate", says Wisniewski in his latest security blog.

"Initially it was unclear if this guy was for real, and of course it is still impossible to tell. He did post some of the source from TrustDLL.dll to Pastebin, including the parts used for authentication that stored the unencrypted password", he adds.

The Sophos researcher went on to say that, once again we come back to insecure passwords and password handling techniques.

Fortunately, he notes, the impact of this incident is quite small and may be a wake-up call for the certificate industry as a whole.

But, adds Wisniewski, there is still a shroud of mystery surrounding the whole affair because, if it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world?

"[Comodohacker's] ramblings certainly show his support for Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government", he said.

This article is featured in:
Application Security  •  Compliance and Policy  •  Data Loss  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×