Hackers left Adobe source code sitting on unprotected server

Filed Under: Adobe, Data loss, Featured, Security threats

Source code, image courtesy of ShutterstockAdobe's source code - the code for flagship products behind an über nasty breach the company reported on 3 October - turns out to have been parked on an unprotected hackers' server, open to the internet, IDG News Service's Jeremy Kirk reports.

The breach involved 2.9 million encrypted customer credit card records.

(Whatever that means; see Paul Ducklin's deep dive on what evils the breach might have spawned and what a low-information term "encrypted" actually is.)

Adobe was already looking into the breach when Hold Security's Deep Web Monitoring Program independently discovered source code for the company's flagship products - Reader, Publisher and ColdFusion - on the server of a hacker gang.

The hacker gang was previously known for breaching LexisNexis, Kroll, NW3C, and many other sites, as security journalist Brian Krebs reported on 13 September.

Hold Security says it found over 40GB in encrypted archives on the hackers' server, containing what looked like source code of such products as Adobe Acrobat Reader, Adobe Acrobat Publisher, and the Adobe ColdFusion line of products.

Adobe had already confirmed on 2 October that its source code had, in fact, been breached.

Adobe reset all passwords after it reported on 3 October that customers' data had been breached and that login and credit card data had probably been stolen.

When it posted about the discovery - also on 3 October - Hold Security said that the breach "poses a serious concern to countless businesses and individuals" and raises the possibility that the disclosure of encryption algorithms, other security schemes and possibility vulnerabilities in the source code might have opened "a gateway for [a] new generation of viruses, malware, and exploits."

Maybe, maybe not, as Paul Ducklin's deep dive into the new-gateway premise suggests.

Having the source code might save malicious types some time when it comes to disassembling executable files to find out what they do, particularly with the help of fully commented code, original variable names, and maybe even some helpful notes from programmers, Paul wrote, but gnarly exploits can be found without source code, and holes can gape for a long time before anybody notices, even in open source products.

Source code, image courtesy of Shutterstock At any rate, hopefully, given the lack of protection they put on the source code, the hackers who stole Adobe's code won't prove to be very adept at exploiting it.

Alex Holden, chief information security officer of Hold Security, told Kirk that the code "was hidden, but it was not cleverly hidden."

Holden was able to analyze the server's directory, he said, to find a directory with the abbreviation "ad." It was filled with "interesting" file names, he told IDG, including encrypted ."rar" and ".zip" files.

In fact, the server was holding data stolen from other companies that have been notified that the gang may have victimized them. The gang was using the server to stash data stolen from the data aggregators - LexisNexis, Dunn & Bradstreet, and Kroll Background America, for example.

Kirk reports that the gang speaks Russian, is still active, and hasn't yet been named.

We may be looking at more announcements coming from the companies whose data was found on the server, Kirk reports, if the companies choose, or are compelled by legal requirement, to do so.

Image of program code and source code courtesy of Shutterstock

You might like

One Response to Hackers left Adobe source code sitting on unprotected server

  1. akshay · 284 days ago

    nice

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.