Lemmy.World

XMPP (Jabber) instant messaging protocol encrypted TLS connection wiretapping (Man-in-the-Middle attack) of jabber.ru (aka xmpp.ru) service’s servers on Hetzner and Linode hosting providers in Germany. The attacker has issued several new TLS certificates using Let’s Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent MiTM proxy. The attack was discovered due to expiration of one of the MiTM certificates, which haven’t been reissued.

cross-posted from: https://links.hackliberty.org/post/241632

Security researchers have discovered what they believe may be a government attempt to covertly wiretap an instant messaging service in Germany — an attempt that was blown because the potential intercepting authorities failed to reissue a TLS certificate.

The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired.

However, jabber.ru found no expired certificates on the server — as explained in a blog post by ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.

The expired certificate was instead discovered on a single port being used by the service to establish an encrypted Transport Layer Security (TLS) connection with users. Before it had expired, it would have allowed someone to decrypt the traffic being exchanged over the service.

The wiretap is believed to have lasted for up to 6 months, from April 18 through to October 19, although the researchers were only able to confirm 90 days of actual interception. “All jabber.ru and xmpp.ru communications between these dates should be assumed compromised,” wrote ValdikSS.

“Given the nature of the interception, the attacker have been able to execute any action as if it is executed from the authorized account, without knowing the account password. This means that the attacker could download account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time,” they added.

The researchers said they do not believe that the servers were hacked by criminals, but were reconfigured to facilitate the wiretapping as a result of a government request. “We believe this is lawful interception Hetzner and Linode were forced to setup,” ValdikSS wrote, referencing the hosting providers in Germany.

Security researchers have discovered what they believe may be a government attempt to covertly wiretap an instant messaging service in Germany — an attempt that was blown because the potential intercepting authorities failed to reissue a TLS certificate.

The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired.

However, jabber.ru found no expired certificates on the server — as explained in a blog post by ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.

The expired certificate was instead discovered on a single port being used by the service to establish an encrypted Transport Layer Security (TLS) connection with users. Before it had expired, it would have allowed someone to decrypt the traffic being exchanged over the service.

The wiretap is believed to have lasted for up to 6 months, from April 18 through to October 19, although the researchers were only able to confirm 90 days of actual interception. “All jabber.ru and xmpp.ru communications between these dates should be assumed compromised,” wrote ValdikSS.

“Given the nature of the interception, the attacker have been able to execute any action as if it is executed from the authorized account, without knowing the account password. This means that the attacker could download account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time,” they added.

The researchers said they do not believe that the servers were hacked by criminals, but were reconfigured to facilitate the wiretapping as a result of a government request. “We believe this is lawful interception Hetzner and Linode were forced to setup,” ValdikSS wrote, referencing the hosting providers in Germany.

TL;DR: we have discovered XMPP (Jabber) instant messaging protocol encrypted TLS connection wiretapping (Man-in-the-Middle attack) of jabber.ru (aka xmpp.ru) service’s servers on Hetzner and Linode hosting providers in Germany. The attacker has issued several new TLS certificates using Let’s Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent MiTM proxy. The attack was discovered due to expiration of one of the MiTM certificates, which haven’t been reissued. There are no indications of the server breach or spoofing attacks on the network segment, quite the contrary: the traffic redirection has been configured on the hosting provider network. The wiretapping may have lasted for up to 6 months overall (90 days confirmed). We believe this is lawful interception Hetzner and Linode were forced to setup.

We believe this is lawful interception Hetzner and Linode were forced to setup.

cross-posted from: https://asocial.thedroth.rocks/post/1825940

Самое милое, что атаку произвели не какие-то невнятные хакеры, а непосредственно Хетцнер. Всё, что нужно знать о надёжности европейских контор, ящитаю.

cross-posted from: https://radiation.party/post/138500

[ comments | sourced from HackerNews ]

This is such a great write up! I've definitely learnt something new today!

There is a discussion on Hacker News, but feel free to comment here as well.