BeepNotepad++ Hijacked by State-Sponsored Hackers
HeyJoeYikes… i guess i am confused though. What data was being sent through this channel? What did they get from people while it happened and why did it take 2 months past them stopping it to finally make a release? I love the app, but this sounds really bad.
From my understanding: Basically the attackers could reply to your version check request (usually done automatically) and tell N++ that there were a new version available. If you then approved the update dialogue, N++ would download and execute the binary from the update link that the server sent you. But this didn’t necessarily need to be a real update, it could have been any binary since neither the answer to the update check nor the download link were verified by N++
Thats what i was thinking, but there is no mention on if this did happen and if it did what did was compromised or allowed to happen.
ryannathansHow would n++ devs know?
Expanding on this: the exploit was against their domain name, redirecting selected update requests away from the notepad++ servers. The software itself didn’t validate that the domain actually points to notepad++ servers, and the notepad++ update servers would not see any information that would tell them what was happening.
Likely they picked some specific developers with a known public IP, and only used this to inject those specific people with malware.
setVeryLoud(true);So the solution would have been an SSL certificate check on the client side.
Can’t tell if that would have helped
which could have allowed the malicious actors to redirect some of the traffic going to notepad-plus-plus.org/getDownloadUrl.php to their own servers
They could have just piped the binaries though the same server since they had this level of access. They would have had months to figure it out.
Oof, I thought it was just a DNS hijack. If they had access to the server, it’s game over regardless.
KissakiIt’s not game over regardless if the updater checks a signature of the update installer. Them it wouldn’t run an installer by someone else.
That’s true, assuming they didn’t also put their private keys on the server
As the hoster wrote this:
we immediately transferred all clients’ web hosting subscriptions from this server
It looks like the binaries and the update check script were put on a simple web space. If that is the correct conclusion to draw from this excerpt, then it’d be rather strange to have the keys on that server as it’s very unlikely that it was used to produce any builds.