Mai gudanar da sabar Jabber jabber.ru (xmpp.ru) ya gano wani harin da aka kai don hana zirga-zirgar masu amfani (MITM), wanda aka kai tsawon kwanaki 90 zuwa watanni 6 a cikin cibiyoyin sadarwar Jamus masu ba da sabis na Hetzner da Linode, waɗanda ke karɓar bakuncin taron. uwar garken aikin da mahallin VPS. An shirya harin ta hanyar tura zirga-zirga zuwa kullin wucewa wanda ya maye gurbin takardar shaidar TLS don rufaffen haɗin XMPP ta amfani da tsawo na STARTTLS.
An gano harin ne saboda kuskuren da masu shirya shi suka yi, waɗanda suka kasa sabunta takardar shaidar TLS da aka yi amfani da ita wajen yin zamba. A ranar 16 ga Oktoba, mai gudanar da jabber.ru ya sami saƙon kuskure game da cewa takardar shaidar ta ƙare yayin ƙoƙarin haɗawa da sabis ɗin, amma takardar shaidar da aka shirya a kan sabar ba ta ƙare ba. Daga ƙarshe an gano cewa takardar shaidar da abokin ciniki ya karɓa ta bambanta da wadda sabar ta aika. Na farko na jabber.ru Takardar shaidar TLS an samo shi a ranar 18 ga Afrilu, 2023, ta hanyar sabis ɗin Bari Mu Ƙirƙiri, inda maharin, wanda ke da ikon katse zirga-zirgar ababen hawa, ya sami damar tabbatar da samun damar shiga shafukan jabber.ru da xmpp.ru.
Da farko, an yi zaton cewa an yi wa uwar garken aikin matsala kuma ana yin wani canji a gefensa. Sai dai binciken binciken bai bayyana ko wani abu na kutse ba. A lokaci guda, a cikin log ɗin da ke kan uwar garke, an lura da kashe ɗan gajeren lokaci da kunna cibiyar sadarwa (NIC Link is Down/NIC Link is Up), wanda aka yi a ranar 18 ga Yuli a 12:58 kuma zai iya. nuna manipulations tare da haɗin uwar garken zuwa sauyawa. Abin lura ne cewa an ƙirƙiri takaddun shaida na TLS na karya 'yan mintoci kaɗan da suka gabata - a ranar 18 ga Yuli a 12:49 da 12:38.
Bugu da ƙari, an yi maye gurbin ba kawai a cikin hanyar sadarwa na Hetzner mai ba da sabis ba, wanda ke ɗaukar babban uwar garke, amma har ma a cikin hanyar sadarwa na Linode mai ba da sabis, wanda ya dauki nauyin yanayin VPS tare da proxies masu taimako wanda ke tura zirga-zirga daga wasu adiresoshin. A kaikaice, an gano cewa zirga-zirga zuwa tashar jiragen ruwa na 5222 (XMPP STARTTLS) a cikin hanyoyin sadarwa na duka masu samar da kayayyaki an tura su ta hanyar ƙarin mai watsa shiri, wanda ya ba da dalilin yin imani da cewa mutumin da ke da damar yin amfani da kayan aikin masu samar da kayan aiki ya kai harin.
A ka'ida, maye gurbin ya faru ne tun daga ranar 18 ga Afrilu (ranar da aka ƙirƙiri takardar shaidar jabber.ru ta bogi ta farko), amma an rubuta tabbatattun shari'o'in maye gurbin takardar shaidar ne kawai tsakanin 21 ga Yuli da 19 ga Oktoba. A tsawon wannan lokacin, ana iya ɗaukar musayar bayanai da aka ɓoye tare da jabber.ru da xmpp.ru a matsayin abin da ya lalace. An dakatar da maye gurbin bayan an fara binciken, an gudanar da gwaje-gwaje, kuma an aika da buƙata zuwa ga ayyukan tallafi na masu samar da Hetzner da Linode a ranar 18 ga Oktoba. Bugu da ƙari, an buƙaci ƙarin tsalle lokacin da aka aika fakitin hanyar sadarwa zuwa tashar jiragen ruwa 5222 na ɗaya daga cikin sabobin a Linode, har yanzu ana kiyaye shi a yau, amma ba a sake maye gurbin takardar shaidar ba.
Ana kyautata zaton cewa za a iya kai harin da sanin masu samar da su bisa bukatar hukumomin tilasta bin doka, sakamakon kutse hanyoyin samar da ababen more rayuwa na duka biyun, ko kuma ta hanyar wani ma'aikaci da ya samu damar yin amfani da su. Ta hanyar samun damar shiga da kuma canza zirga-zirgar XMPP, maharin zai iya samun damar yin amfani da duk bayanan da suka shafi asusu, kamar tarihin saƙon da aka adana a uwar garken, kuma yana iya aika saƙonni a madadin wasu da yin canje-canje ga saƙonnin wasu. Saƙonnin da aka aika ta amfani da ɓoye-ɓoye na ƙarshe-zuwa-ƙarshe (OMEMO, OTR ko PGP) ana iya ɗaukarsu ba su daidaita ba idan masu amfani da bangarorin biyu sun tabbatar da maɓallan ɓoyewa. An shawarci masu amfani da Jabber.ru su canza kalmomin shiga su kuma duba maɓallan OMEMO da PGP a cikin ma'ajin su na PEP don yuwuwar musanya su.
source: budenet.ru
