Skype blog hacked (opens in new tab)

(blogs.skype.com)

86 pointstazer12y ago58 comments

58 comments

This blog is not hosted by the Skype but on WordPress VIP. This means that, most likely, the blog was not broken into using a software exploit of any sort since the security on VIP blogs is professional. Knowing that this is the Syrian Army, this attack was most likely done using phished credentials.

If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.

t012y ago

You're right. It was probably a brute force since they don't have maximum login attempts. http://blogs.skype.com/wp-admin

Viper007Bond12y ago

Limiting login attempts is not as effective as you might think. How should it work? If you want to ban IP addresses that get X attempts wrong in Y minutes, then you're failing to realize that hackers like this normally have access to hundreds or thousands of IP addresses. If you want to lock the whole account for a while, then you've just introduced a way for anyone to lock the account of someone else they don't like.

Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.

1 more reply

barsxl12y ago

WordPress.com has pretty sophisticated brute force detection mechanisms and protections in place. I am not sure why you would say otherwise.

elwell12y ago

Such a simple feature to implement...

2 more replies

jon_kuperman12y ago

Yeah getting access to their WordPress blog doesn't really prove anything.

stusmall12y ago

Doesn't look like they are trying to prove insecurity of the service but protest the spying that Skype and now Microsoft are involved in.

jfoster12y ago

Doesn't WordPress offer any two-step auth option? Feels like a rather large limitation.

barsxl12y ago

WordPress.com offers two-step authentication for all of our users. You can use any application which supports Time-Based One-Time Passwords (TOTP) such as Google Authenticator, Authy, etc. and you can also receive a one time password via SMS.

yeukhon12y ago

Here is the screenshot of the blog hacked. http://imgur.com/RGeTFWV

So it looks like Skype doesn't host on its own server. It looks like this is wordpress.com but with custom domain?

curl http://blogs.skype.com -v

< X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

EDIT Okay it is

New to wpscan. When it says plugins found are these the vulnerable plugins wordpress.com running?

https://gist.github.com/yeukhon/8211580

And I found the username 7 pretty interesting.... wonder if I am actually doing the ethical thing here :(

xsNzgw812y ago

You will find those usernames whenever you scan wordpress.com with wpscan.

yeukhon12y ago

Wow you are right about that.

just did it on another blog.wordpress.com. How come? On Skype's blog I can access /author/7 or /author/ian but I can't do it on another blog, I get "Oops".

1 more reply

xsNzgw812y ago

Snapshot archive (if they fix the page): http://mraka.eu/snapshot/v/blogs.skype.com

Direct link to the snapshot of the hacked site: http://mraka.eu/snapshot/img/2014/01/01/e0d8888c73483275afea...

Snapshot archive of twitter account: http://mraka.eu/snapshot/v/twitter.com

Direct link to the first tweet snapshot: http://mraka.eu/snapshot/img/2014/01/01/1d6269aa8371ce676587...

Direct link to the first retweet snapshot: http://mraka.eu/snapshot/img/2014/01/01/a0f4c0947281bb0fb19d...

wahnfrieden12y ago

The Twitter account has also been compromised at the same time: https://news.ycombinator.com/item?id=6996899

nightman12y ago

Screenshot: http://imgur.com/Fr8um8B

seivan12y ago

http://twitter.com/Skype/status/418495453471068161

Nux12y ago

Sounds legit. :-)

rev08712y ago

There is also a second post from the same - apparently compromised - author: http://blogs.skype.com/2014/01/01/dont-use-microsoft-emails-...

ollysb12y ago

>> Hacked by Syrian Electronic Army.. Stop spying!

Seems a strange message to send to a country that spies on it's own citizens (and where apparently the citizens are unable to prevent their own government from doing it to them).

X412y ago

Indeed and they buy german spying technology products. However I think the logical fallacy you've stepped in is that the Syrian Electronic Army (SEA) doesn't want to get spied on themselves by Skype and Microsoft, maybe. haha :)

But I fully support the message here, I think that spying inside of consumer products is a sign of the abuse of power and monopoly.

t012y ago

More than likely a guessed admin password.

lelandbatey12y ago

Here's a screenshot of the blog, in case it get's fixed:

http://puu.sh/65TRe.png

coffeecheque12y ago

Its Twitter account was also hacked and a message posted, but it appears to have been deleted.

Screenshot here: https://twitter.com/MikeElgan/status/418482819611230208

ehPReth12y ago

Looks to be one of those auto posters (i.e. content posted on the blog is automatically pushed out to twitter, facebook, others)

ihatehandles12y ago

I thought so as well, until https://twitter.com/Skype/statuses/4184954534710681

1 more reply

ihatehandles12y ago

Gotta wonder what's running through non-techie Skypers when they see the tweets (https://twitter.com/Skype/status/418495453471068161) and all :D

romanovcode12y ago

I'm not sure why the accent on "Stop using MS, it's spying on you!" is on MS. AFAIK every company is using your data and giving/selling it to the government.

How is MS more evil than anyone else?

RyanZAG12y ago

If someone drowns 4 kittens and you only drown 1 kitten, you're still pretty evil. I don't see how "everyone else is doing it" is possibly a valid argument. Obviously 'evil' in this case is based on your definition though, it's not exactly a universal concept.

diminoten12y ago

What if a cop held a gun to your head and told you to drown those kittens?

zeitg3ist12y ago

Microsoft has been moving Skype from its original peer-to-peer architecture to a more centralized system for some time. After the Snowden shitstorm, critics have been implying that the move was NSA-related.

magic_haze12y ago

I might be wrong, but wasn't skype's p2p system used mostly for udp hole punching? (i.e., the supernodes were used to initiate the connection and then the clients communicated directly with each other.) With the centralized system, do the call contents go through microsoft's servers now? (this should be pretty easy to prove, doesn't it? Just check the addresses where your UDP packets are being sent to and received from.) It just seems to me that if anyone wanted to spy on you, forcing someone else to migrate to an entirely new system would be massive overkill: Applebaum's talk shows there are _plenty_ of better tools available to get to your packets.

EDIT: This really seems like an interesting question: _are_ there any advantages an attacker would have with skype's centralized system that they wouldn't with their previous p2p system? From what we've seen so far, I think the differences (from an attacker's perspective) are trivial.

belorn12y ago

Microsoft is responsible for spying on 90% of all users of an Desktop (or laptop) operating system.

Simply put, because of their market share, their evil has a bigger impact than other companies evil.

footnote: One is always completely free to decided if evil with more market share than other evils are more evil.

tsurantino12y ago

They also hacked their Facebook page.

mrkris12y ago

I don't consider getting access to a website via the most insecure blogging platform on the internet "hacking".

jblz12y ago

Not sure why you say that. WordPress.com offers 2-Factor Auth:

http://en.support.wordpress.com/security/two-step-authentica...

There are also tons of available security plugins & pretty extensive documentation on hardening a self-hosted install:

http://wordpress.org/plugins/tags/security http://codex.wordpress.org/Hardening_WordPress

X412y ago

Hardening Wordpress. That made me speechless…………

But hey, what do I know? ¯\_(ツ)_/¯ Only the tip of the iceberg. Some men believe.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

2 more replies

krapp12y ago

Still, a lot of what's on that page and a lot of the common features of plugins like Wordfence (which I use) should be part of the core, I think.

Though also in my opinion even having a web-based file editor is pretty terrible...

mrkris12y ago

Having 2-Factor auth is meaningless if you can bypass the auth itself.

thirsteh12y ago

[citation needed]

WordPress isn't that insecure. A lot of third-party (i.e. written by inexperienced developers) plugins for it are, though.

corresation12y ago

I doubt the purported "insecurity" of Wordpress has anything to do with this. Given that they simultaneously defaced a multitude of social media outlets for Skype, it seems fairly likely that they phished or compromised someone who managed social media accounts.

j / k navigate · click thread line to collapse

58 comments

xSwag12y ago

If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.

t012y ago

You're right. It was probably a brute force since they don't have maximum login attempts. http://blogs.skype.com/wp-admin

Viper007Bond12y ago

1 more reply

barsxl12y ago

WordPress.com has pretty sophisticated brute force detection mechanisms and protections in place. I am not sure why you would say otherwise.

elwell12y ago

Such a simple feature to implement...

2 more replies

jon_kuperman12y ago

Yeah getting access to their WordPress blog doesn't really prove anything.

stusmall12y ago

Doesn't look like they are trying to prove insecurity of the service but protest the spying that Skype and now Microsoft are involved in.

jfoster12y ago

Doesn't WordPress offer any two-step auth option? Feels like a rather large limitation.

barsxl12y ago

yeukhon12y ago

Here is the screenshot of the blog hacked. http://imgur.com/RGeTFWV

So it looks like Skype doesn't host on its own server. It looks like this is wordpress.com but with custom domain?

curl http://blogs.skype.com -v

< X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

EDIT Okay it is

New to wpscan. When it says plugins found are these the vulnerable plugins wordpress.com running?

https://gist.github.com/yeukhon/8211580

And I found the username 7 pretty interesting.... wonder if I am actually doing the ethical thing here :(

xsNzgw812y ago

You will find those usernames whenever you scan wordpress.com with wpscan.

yeukhon12y ago

Wow you are right about that.

just did it on another blog.wordpress.com. How come? On Skype's blog I can access /author/7 or /author/ian but I can't do it on another blog, I get "Oops".

1 more reply

xsNzgw812y ago

Snapshot archive (if they fix the page): http://mraka.eu/snapshot/v/blogs.skype.com

Direct link to the snapshot of the hacked site: http://mraka.eu/snapshot/img/2014/01/01/e0d8888c73483275afea...

Snapshot archive of twitter account: http://mraka.eu/snapshot/v/twitter.com

Direct link to the first tweet snapshot: http://mraka.eu/snapshot/img/2014/01/01/1d6269aa8371ce676587...

Direct link to the first retweet snapshot: http://mraka.eu/snapshot/img/2014/01/01/a0f4c0947281bb0fb19d...

wahnfrieden12y ago

The Twitter account has also been compromised at the same time: https://news.ycombinator.com/item?id=6996899

nightman12y ago

Screenshot: http://imgur.com/Fr8um8B

seivan12y ago

http://twitter.com/Skype/status/418495453471068161

Nux12y ago

Sounds legit. :-)

rev08712y ago

There is also a second post from the same - apparently compromised - author: http://blogs.skype.com/2014/01/01/dont-use-microsoft-emails-...

ollysb12y ago

>> Hacked by Syrian Electronic Army.. Stop spying!

Seems a strange message to send to a country that spies on it's own citizens (and where apparently the citizens are unable to prevent their own government from doing it to them).

X412y ago

But I fully support the message here, I think that spying inside of consumer products is a sign of the abuse of power and monopoly.

t012y ago

More than likely a guessed admin password.

lelandbatey12y ago

Here's a screenshot of the blog, in case it get's fixed:

http://puu.sh/65TRe.png

coffeecheque12y ago

Its Twitter account was also hacked and a message posted, but it appears to have been deleted.

Screenshot here: https://twitter.com/MikeElgan/status/418482819611230208

ehPReth12y ago

Looks to be one of those auto posters (i.e. content posted on the blog is automatically pushed out to twitter, facebook, others)

ihatehandles12y ago

I thought so as well, until https://twitter.com/Skype/statuses/4184954534710681

1 more reply

ihatehandles12y ago

Gotta wonder what's running through non-techie Skypers when they see the tweets (https://twitter.com/Skype/status/418495453471068161) and all :D

romanovcode12y ago

I'm not sure why the accent on "Stop using MS, it's spying on you!" is on MS. AFAIK every company is using your data and giving/selling it to the government.

How is MS more evil than anyone else?

RyanZAG12y ago

diminoten12y ago

What if a cop held a gun to your head and told you to drown those kittens?

zeitg3ist12y ago

magic_haze12y ago

belorn12y ago

Microsoft is responsible for spying on 90% of all users of an Desktop (or laptop) operating system.

Simply put, because of their market share, their evil has a bigger impact than other companies evil.

footnote: One is always completely free to decided if evil with more market share than other evils are more evil.

tsurantino12y ago

They also hacked their Facebook page.

mrkris12y ago

I don't consider getting access to a website via the most insecure blogging platform on the internet "hacking".

jblz12y ago

Not sure why you say that. WordPress.com offers 2-Factor Auth:

http://en.support.wordpress.com/security/two-step-authentica...

There are also tons of available security plugins & pretty extensive documentation on hardening a self-hosted install:

http://wordpress.org/plugins/tags/security http://codex.wordpress.org/Hardening_WordPress

X412y ago

Hardening Wordpress. That made me speechless…………

But hey, what do I know? ¯\_(ツ)_/¯ Only the tip of the iceberg. Some men believe.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

2 more replies

krapp12y ago

Still, a lot of what's on that page and a lot of the common features of plugins like Wordfence (which I use) should be part of the core, I think.

Though also in my opinion even having a web-based file editor is pretty terrible...

mrkris12y ago

Having 2-Factor auth is meaningless if you can bypass the auth itself.

thirsteh12y ago

[citation needed]

WordPress isn't that insecure. A lot of third-party (i.e. written by inexperienced developers) plugins for it are, though.

corresation12y ago

j / k navigate · click thread line to collapse