Apache.org hit by targeted XSS attack

Share this article:

The open-source Apache Software Foundation recently suffered a cross-site scripting (XSS) attack against its infrastructure that resulted in users' passwords being compromised.

The targeted attack allowed hackers to break into the server hosting Apache.org's issue and request tracking software, Atlassian JIRA, and steal encrypted passwords, the Apache Infrastructure team revealed in a blog post Tuesday. Hackers carried out the attack on April 5 by sending an error report to Apache and including a TinyURL link containing an XSS exploit. Several Apache administrators clicked on the link, compromising their sessions.

Encrypted passwords were ultimately stolen for users of the Apache-hosted JIRA issue tracking and project tracking software, Bugzilla bug tracking software, and Confluence enterprise collaboration and wiki software, Apache said.

“We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords,” the group said.

Along with the XSS attack, hackers simultaneously launched a brute-force attack, attempting hundreds of thousands of password combinations, against the JIRA login.jsp. On April 6, the brute-force method was successful and hackers gained administrator privileges on a JIRA account and were able to browse and copy the file system.

“The attackers used this access to create copies of many users' home directories and various files,” Apache said.

Three days after the successful brute-force attack, hackers installed a file that collected and saved all passwords when users logged on. In addition, they sent password reset messages to Apache's infrastructure team, which successfully duped members into revealing their passwords. One of these stolen passwords allowed attackers to gain full root access to a machine that hosted Apache installs of JIRA, Bugzilla and Confluence.

Shortly after the password reset, Apache's infrastructure team caught wind of the attack and began shutting down services and moving them to a different machine. By Tuesday, Atlassian provided a patch for JIRA to prevent the XSS attack.

JIRA and Bugzilla have been back online since Saturday, but the Confluence wiki still remains offline.

The Apache Software Foundation is a group that provides support for Apache's open-source software projects, including its popular web server.

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.