ColdFusion zero day used in web host hack

By

Hole patched.

ColdFusion zero day used in web host hack

A now patched zero-day Adobe ColdFusion vulnerability was used to steal source code and encrypted customer credit card numbers and passwords from US web host Linode.

The company revealed details in a blog in which it said it received two reports of fraud against affected cards, and poured cold water on rumour the private key was stored with the public key.

"As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database," the company said.

"Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure."

Adobe patched the vulnerability on 9 April and stated it could be exploited to impersonate an authenticated user and gain access to the ColdFusion administrator console.

Linode reset user passwords for its Linode Manager client despite that only the salts and hashes were stored in the breached database.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?