Munin, Keeper of LoreApr 24, 2017

Hipchat has suffered an #infosec incident

https://blog.hipchat.com/2017/04/24/hipchat-security-notice/

They're blaming a "third party library" but, -extremely- annoyingly, have neglected to state which library it is - so be prepared to keep an eye out for other services having incidents in the future, if this isn't a case of hipchat having used something catastrophically out of date.

Show threadMaiyannah BishopApr 24, 2017
@munin It's always extlibs.  It's never their own code.

Unless they're naming names, I doubt it actually was an extlib, or if it was, it was something out of date by a considerable margin (very possible, GS had ancient extlibs from php4 era before I updated them in pA).

That said, being paranoid never hurt anyone, when it came to this kind of thing.
Show threadMunin, Keeper of LoreApr 24, 2017

@maiyannah It ain't paranoia if the potential threat's real...

I'm hoping it's just outdated openSSL or whatever, which, well, shame on Atlassian but at least the damage is contained.

If it is a recent third party library, though, this may well get ugly.

Show threadMaiyannah BishopApr 24, 2017
@munin I didn't know they were owned by Atlassian.  Er, yeah, they have a history of using some dated libraries.  Still, I wish they'd named names so we could at least go over that library to see if the current issue has the vuln
Show threadMunin, Keeper of Lore
@maiyannah Exactly. So now it's a question of hunt-the-wumpus to figure out which libraries have the horror in it :-/
Apr 24, 2017 at 8:55pmWeb