These are chat archives for ushahidi/Community

10th
Apr 2018
Brad Anthony
@INTJ_Ape_twitter
Apr 10 2018 14:14
Hey community, I just found a potentially disastrous issue
A stock install of Ushi on our server at research.okap.io has been hijacked by a malicious party who is directing their subdomain at our IP. So our login page appears on their subdomain at http://login.plugemail.net/
Our security engineer is looking into it. Has anyone else seen this happening?
Ushbot
@ushbot
Apr 10 2018 14:19
[Angela Oduor Lungati, Ushahidi] Thanks for the heads up Brad...
[Angela Oduor Lungati, Ushahidi] Romina's tagging more folks to look into it
Brad Anthony
@INTJ_Ape_twitter
Apr 10 2018 14:20
I'll let you know if we find anything else. So far, the hosting company tech thinks the cloud instance was NOT hacked, but it could be the start of an attack
Brad Anthony
@INTJ_Ape_twitter
Apr 10 2018 14:26
Engineer says it's a server configuration issue, and not Ushi code. We're looking for fix options.
I'm just passing this on:
"Ushahidi could prevent it by implementing default security headers that OWASP provides. Set default to ON in their configuration / setup" Such as found here >> https://securityheaders.io/
Ushbot
@ushbot
Apr 10 2018 14:31
[Angela Oduor Lungati, Ushahidi] Thanks Brad... this is helpful.. Would you be able to open an issue for it here? https://github.com/ushahidi/platform/issues?
Brad Anthony
@INTJ_Ape_twitter
Apr 10 2018 14:44
ushahidi/platform#2715
Ushbot
@ushbot
Apr 10 2018 14:50
[Angela Oduor Lungati, Ushahidi] Got it, thank you thank you!
Ushbot
@ushbot
Apr 10 2018 15:05
[Angela Oduor Lungati, Ushahidi] Hey Brad, issue's been triaged, we'll share an update as soon as it's been addressed.
[Brad] Super, thank you!
Ushbot
@ushbot
Apr 10 2018 16:33

[Will Doran, Ushahidi] Hey brad, thank you so much for the issue and sharing the info with us. We’ve looked at security header .io and I’ve written up a first pass. Next we’ll make it into an epic and with an issue for each header. The other devs will reply to what I wrote and tear it apart and then we’ll figure out how to implement each one and document where and why we do/don’t.

Thanks again!

Brad Anthony
@INTJ_Ape_twitter
Apr 10 2018 16:47
You're quite welcome. FYI I found this quite accidentally while doing a Google search for my Ushi instance and was quite surprised to see it coming up on someone else's domain. It may be prudent to include in the community update @aoduor some instructions on how deployment owners should check if their own installations have been affected.
Ushbot
@ushbot
Apr 10 2018 18:41
[Will Doran, Ushahidi] Yeah, we should link out once we’ve updated our docs