26 November 2014

This is in response to the allegations made by the JoomLeaks actor in the mass email sent out to people who had created a user account on the JoomlaDonation site. For more information about this email please take a look at http://forum.joomla.org/viewtopic.php?f=714&t=866985

Executive summary: There is no compelling evidence that the JoomLeaks actor has compromised any site beyond JoomlaDonation itself. There is no compelling evidence that the JoomLeaks actor is able to bypass any security solution including but not limited to firewalls, malware scanners and Admin Tools. Our opinion based on the evidence presented until the time of this writing is that the JoomLeaks actor has engaged in a fear, uncertainty and doubt (FUD) campaign to discredit the JoomlaDonation developers and spread disinformation to the Joomla! community.

Situation overview

As the JoomlaDonation's staff disclosed, their server was indeed compromised. The attacker (JoomLeaks) was able to acquire a copy of their database contents. The attacker has so far published semi-anonymised information from this database, namely full names and email addresses. He's said he's in possession of the hashed passwords and payment information, i.e. information which he could have easily find inside the database of the JoomlaDonation site's database.

Furthermore he has sent the same form email to everyone who has ever created an account at JoomlaDonation EVEN IF THEY ARE NOT USING, AND HAVE NEVER USED, THE JOOMLADONATION EXTENSIONS ON THEIR SITES. The emails have been sent to the email addresses registered with the JoomlaDonation site, NOT any email addresses used by Super Users in the allegedly hacked sites.

Based on the aforementioned information we conclude that there is no compelling evidence that this person has hacked sites using JoomlaDonation's extensions, let alone bypass any security solution (including Admin Tools). If he was actually capable of doing so he would have been contacting only people who actually use JoomlaDonation's extensions instead of everyone who had ever created a user account on that site (even those who never used these extensions). Moreover, had he really infiltrated your sites with a remote shell he would have known the Super User real name, username and email and would be contacting you at these email addresses instead of the contact information he retrieved from JoomlaDonation's database.

As a result we believe that the only site compromised so far was the JoomlaDonation site itself. The attacker got a copy of their database and now he's set into a fear, uncertainty and doubt (FUD) campaign to discredit the JoomlaDonation business and scare Joomla! users. There is no evidence whatsoever that he bypassed any security measure, or that he even knows the URLs of sites using JoomlaDonation extensions – something which is a trivial task for anyone who can use Google.

Regarding the allegations of security measures bypass

Regarding Admin Tools, just like any security solution it's not perfect or bullet proof. It is designed to make it harder for attackers to exploit your site within some reasonable limitations. For example, if you are using its .htaccess Maker and have enabled the front-end and back-end protection and have not allowed direct execution of arbitrary PHP files in any directories you would be adequately protected against remote shells of the kind this person alleges he has installed on sites: the remote shell is a PHP file which needs direct web access, something which this feature prevents.

As for the attack vector, there was no information provided and in the lack of evidence corroborating the alleged hacks we doubt that there was an attack vector. We can only talk about theoretical methods to compromise a site. If an extension requires direct access to PHP files they [b]can[/b] be an attack vector which Admin Tools cannot protect you from: Admin Tools can only run inside Joomla!, not inside arbitrary files. Moreover, there are some kinds of attack such as extensions being tricked into escalating their privileges or creating privileged (Administrator and Super User) accounts when supplied with valid data which do not resemble an attack. Neither Admin Tools nor any other kind of firewall can protect you against this kind of attack vectors.

We have always told you that installing a security extension, no matter how good it is, won't make your site unhackable. There is no such thing as unhackable. There's only "harder to hack than the guy next door". All security measures you take on your site –including but not limited to the installation of security extensions– are steps towards this goal. Let us reiterate that security IS NOT something you install and forget, it's a process you follow. There's not one single solution which is enough to mitigate every possible risk. Always keep your software up to date, not just Joomla! and its extensions but also your server environment. Always use both a security solution and a malware scanner (e.g. myJoomla.com). Always keep an eye for abnormal behavior of your site. That's the only way to really be adequately safe.

What should you do?

Having a backup of your site, stored on your local computer (preferably in more than one medium) is a great idea. It's also a great idea changing your hosting control panel password to something complex. Better yet, use a password manager such as 1Password, KeePass, LastPass and so on. This way, even if your site is indeed compromised, you will be able to get access to it and restore it to working order. It's probably a good time to proceed to a security audit of your site as well. We recommend using the third party myJoomla.com service to detect potentially malicious code and remove it from your site.