📆 March 30, 2018 📂 Zomato, 2FA, password manager

“The developer was using the same email and password combination on GitHub.” What can go wrong? Hell of a lot can go wrong.

Zomato confirms. You may know the company, they have acquired two Czech and Slovak companies in 2014. One of their developers has been using the same password for GitHub and for 000webhost too. And 000webhost's da­tabase was leaked online back in 2015, including plaintext passwords. You can still find and download the data, it's a public data now.

The Zomato developer was caught off guard and somebody has downloaded Zomato source code from GitHub by signing in with the password obtained from the 000webhost dump. By reading the source code, the attacker has identified a security vulnerability, wanted to report it to Zomato but was left ignored and desperate. So the attacker has decided to offer the data for sale. Not the greatest idea ever but desperate times call for desperate measures.

What can go wrong…

Teach your developers (and not just developers!) to use a password manager, and require them to use it. Screw meal vouchers, that's an employee benefit from the nineties. Offer your developers a password manager, prepay them their 1Password or something as great for 10 years ahead. Let them create their user accounts using their private emails so they can use the password manager even for their personal accounts. You can't really guarantee that developers will not reuse one of their passwords even when using a password manager, so you should also require a two-factor authentication (2FA) whenever possible. Just buy everyone a YubiKey, that's a small USB device that will help them 2FA.

YubiKey 4 Series

YubiKey 4 series, a USB security key

Developers, and not just them, belong to a “threat model” of your company (and your future). Even an office manager can use a password manager, we've tried that in one quite successful start-up building tools for API developers, owned by Oracle since 2017. Office managers and assistants have also access to quite important things and information, they can also send an email to their bosses, asking to pay this random invoice.

However, password managers do come with a risk but it's still much lower than if anyone reuses their password for multiple services. Password-Managers-as-a-Service are often a target for attackers (probably just like any other service), but with a good design it doesn't really matter that much. LastPass was successfully attacked several times but the attackers made it off with just encrypted blobs. They would need respective master passwords to unlock these and get to usable passwords. Your master password (or better a passphrase) should really be strong, long, and random, but on the other hand, it will be the only one, or one of just a few, that you'll have to remember.

But take OneLogin and their subpar design. OneLogin detected a security incident in May 2017 and they “cannot rule out the possibility that the threat actor also obtained the ability to decrypt data”, meaning the attacker had access to encryption keys as well, eh. You may have heard about OneLogin too, they acquired Portadi, a Czech company, in 2016.

I hear you, this cannot happen to you because your developers are the best. Of course they are, but it has also happened to a Mozilla developer, a privileged user, who had access to security-sensitive information such as a description of yet unpatched (at that time) security issues in Firefox. This user had reused their password with another website, and the password was revealed through a data breach at that site. Somebody had obtained the password and then a particularly nasty Firefox exploit was found in the wild in August 2015. The code was exploiting a vulnerability which was not patched back then, downloaded some development-related files which often contain passwords, and left no traces on victims' machines.

Think about it for a second, and do something. Thank you!

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security
(June 13–14, 2018 Praha)

HTTPS for developers and admins
(June 15, 2018 Praha)