ColdFusion zero day used in web host hack

By

Hole patched.

ColdFusion zero day used in web host hack

A now patched zero-day Adobe ColdFusion vulnerability was used to steal source code and encrypted customer credit card numbers and passwords from US web host Linode.

The company revealed details in a blog in which it said it received two reports of fraud against affected cards, and poured cold water on rumour the private key was stored with the public key.

"As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database," the company said.

"Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure."

Adobe patched the vulnerability on 9 April and stated it could be exploited to impersonate an authenticated user and gain access to the ColdFusion administrator console.

Linode reset user passwords for its Linode Manager client despite that only the salts and hashes were stored in the breached database.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"

SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Log In

  |  Forgot your password?