Endwall
11/17/2018 (Sat) 06:50:58
No.1339
del
Bleepingcomputer
https://www.bleepingcomputer.com/news/security/hacker-say-they-compromised-protonmail-protonmail-says-its-bs/
A person or group claiming to have hacked
ProtonMail and stolen "significant" amounts of data has posted a lengthy ransom demand with some wild claims to an anonymous Pastebin. ProtonMail states it's complete BS. According to the message, a hacker going by the name AmFearLiathMor makes quite a few interesting claims such as hacking ProtonMail's services and stealing user's email, that ProtonMail is sending their user's decrypted data to American servers, and that ProtonMail is abusing the lack of Subresource Integrity (SRI) use to purposely and maliciously steal their user's passwords. After reading the Pastebin message (archive.is link), which is shown in its entirety below minus some alleged keys, and seeing the amount of claims, the first thing that came to mind was a corporate version of the sextortion scams that have been running rampant lately. As I kept reading it, though, it just felt like a joke. Short Summary: We hacked Protonmail and have a significant amount of their data from the past few months. We are offering it back to Protonmail for a small fee, if they decline then we will publish or sell user data to the world. Long Explanation: While Protonmail's open-source code can be freely audited on Github, they haven't configured the mandatory SRI feature (
https://www.w3.org/TR/SRI/). This leaves users without any guarantee about their source code integrity, thus allowing tampering and data collection at anytime. This will be totally transparent and unnoticed, because without enabling SRI all the users should inspect the website runtime code and its connections manually in the same moment they're being tampered with by Protonmail to discover it. Furthermore this requires spending a lot of time and advanced knowledge. With this being clarified, we have proven and recorded that Protonmail intentionally manipulated their source code to reveal users decryption keys (private keys) by collecting their password. Protonmail abuses the lack of SRI technology to serve a modified version of their code that allows full data collection and decryption of their users content. We haven't found the exact pattern that triggers this (probably by targeting IP ranges or just randomly to collect everybody's password), but again, we have proven and recorded this happens. After proving Protonmail knowingly permits misconfiguration to maliciously target users we decided to deploy our full capabilities against them. We began with months of dedicated penetration testing, we asked assistance from other organizations and deployed unreleased 0-days. Although arduous we successfully installed a permanent backdoor on their major machines without Protonmail’s knowledge, bypassing their detection mechanisms. Once we obtained that access we took advantage of their misconfiguration and collected passwords from a large percentage of active accounts that accessed Protonmail during that period. After that we were running a modified and automatized version of their webclient on our end, where we fetched, processed and stored email messages from those affected users in a huge database of our own, thus having significant useful information from many different individuals and companies. If you have used Protonmail in the past several months it is probable we have your Username/Password and your decrypted emails recorded on our own private server. We also have names, addresses (If entered), contact lists, IP addresses, and much more. We would not have been able to do this if Protonmail did not deliberately mis-configure their code to harm their own users. Incidentally during this period we noticed that Protonmail sends decrypted user data to American servers frequently. This may be due to the Swiss MLAT treaty requiring swiss companies reveal all their data to the Americans...