Original URL: http://www.theregister.co.uk/2013/04/08/sourceforge_defacement/

'1337 hacker' scrawls all over careless coders' SourceForge sites

'If others did this, they might not have been so nice'

By John Leyden

Posted in Developer, 8th April 2013 09:43 GMT

Someone claiming to be a "1337 hacker" has defaced programming projects hosted by SourceForge.net

Web pages for the network utility Angry IP Scanner and other open-source software hosted by the online coding vault were altered by the infiltrator. The individual responsible claimed the websites were "hacked" using a "backdoor", and darkly warned he or she could have supposedly caused far worse damage.

Each vandalised site read:

This is a project whose homepage has been hacked with the SourceForge backdoor by a 1337 hacker! It is extremely lucky because this message is the only change I did. After I found this backdoor, I, being nice, added this message to some SourceForge-hosted sites to warn them, instead of maliciously dropping their tables.

Scary stuff, you'll no doubt agree.

The truth is rather mundane: in a blog post, SourceForge's operators said each affected project had files that could be accessed by anyone on the web (rw-r--r-- in Unix parlance) and that these documents contained usernames and passwords for editing the project. Thus, anyone who knew where to look on a project's website could find, use and expose these sensitive credentials.

The SourceForge staff explained:

Upon investigating we found that the affected projects had configuration files (which contained database usernames and passwords) that were world readable. In other words, anyone looking in the right place could get these usernames and passwords and have direct access to the database.

Someone claiming to the "1337 hacker" commented on the SourceForge blog: "After checking 850 projects, I've hacked 44, but you were lucky. I did this to notify the project owners so that they would fix the issue. "If other hackers did this, they might not have been so nice. They might plant malicious scripts or even just drop your data for fun."

Arguably, SourceForge should consider ensuring that no world-readable files are created by default. However, coders must carry a large part of the blame for not picking the right permissions.

SourceForge, which hosts more than 320,000 projects, explains how to set proper file permissions here. It also explains how to reset project database passwords. ®