
How Patreon (probably) got hacked – Publicly exposed Werkzeug Debugger - jsnathan
http://labs.detectify.com/post/130332638391/how-patreon-got-hacked-publicly-exposed-werkzeug
======
fransr
I was pretty divided into publishing this, mostly because I know the people
over at Patreon are really doing a great job around security in general and I
didn't want to bring more gasoline to the fire. (Is that a working proverb?)

However, due to the fact that there has been posts around publicly available
Werkzeug Debuggers before and also the fact that there are so many still out
there, I still decided do to it.

Also worth noting that Shodan.io even crawled this host when the instance
actually launched the Debugger directly upon visiting it. This made it
extremely easy for an attacker to actually exploit this vulnerable endpoint
only by visiting the domain. Visit domain -> Werkzeug Debugger -> "[console
ready]" -> RCE.

~~~
21echoes
As an employee of Patreon, we totally respect this decision. If other
companies can learn from our mistakes (and, hopefully, our successes in
encryption, disclosure, etc.), than that seems like the best thing that can
come out of this.

While we were very aware of the dangers of the debugger, we ran with it anyway
on our development servers because we were confident our development instances
were behind our VPN, and the debugger is quite useful for... you know,
debugging :D This server slipped through the cracks, and we were not fast
enough to pull it back in.

What's definitely most upsetting is articles like this
[http://arstechnica.com/security/2015/10/patreon-was-
warned-o...](http://arstechnica.com/security/2015/10/patreon-was-warned-of-
serious-website-flaw-5-days-before-it-was-hacked/) that were posted in
response to your write-up which state that it was our production server which
was compromised, and other inaccurate data.

~~~
fransr
Thanks for the reply. I actually contacted Dan to clarify that specific
statement. My guess is that he misunderstood "publicly available host" with
production.

------
piquadrat
> Unfortunately there are thousands of publicly available instances of
> Werkzeug out there and each and every one of them should take proper
> mitigation actions as if they have already been exploited.

This should probably say "publicly available instances of the Werkzeug
debugger". Werkzeug without the debugger is perfectly safe AFAIK.

~~~
fransr
Thanks, will change that!

