Hacker News new | past | comments | ask | show | jobs | submit login

Here's my semi-educated guess for how the attack started: from casual observation (view source, URLs ending with .action, etc) a good chunk of the ADC is written in Java and uses WebWork/Struts2, a framework I helped create years ago.

Late last week a security advisory came out that allows for executing malicious code[1]. Atlassian, which uses similar technology, also issued announcements around the same time[2]. My wild speculation is this was the attack vector.

Sadly, I feel some responsibility for this pretty major security hole. There have been a few like this and they are all rooted in the fact that almost 9 years ago I made the (bad) decision to use OGNL as WebWork's expression language. I did so because it was "powerful" but it opened up all sorts of extra binding trickery I never intended. I haven't been contributing to the project in 5+ years, but this is a good reminder how technology choices tend to stick around a lot longer than you ever imagine :)

[1] http://struts.apache.org/release/2.3.x/docs/s2-016.html [2] https://confluence.atlassian.com/display/BAMBOO/Bamboo+Secur...




technology choices tend to stick around a lot longer than you ever imagine :)

It amazes me how true this is. I've learned that assertions such as "this is a mockup and should be replaced ASAP for reasons X Y Z" tend to get ignored by inheritors of proofs-of-concepts for as long as (or longer than) possible. My coworkers wonder why now I fight tooth-and-nail to (from their perspective) over-engineer things from the start; I know that short-sighted decisions will never be revisited until it's too late.


This is the biggest reason that I hate all of the "go fast and break things" culture around here. There has to be a balance, but big names and investors don't seem to be encouraging them.


So what you're saying is that it's your fault that I can't update my provisioning profile? No just kidding--Honestly, while you may feel responsible, the project has been up and running for a while. The current maintainers are responsible for the bugs that show up regardless of who designed the original code base. Definitely appreciate you shedding light on the situation since Apple hasn't really given us to much information.


Both are responsible, and responsibility can add up to more than 100%.


I think we, as a society, are ultimately to blame.


I think the universe, as quantistic thus probabilistic, is lastly to blame.


I think the human being, as imperfect, is finally to blame.


Are you people out of your mind? The person responsible for this is the unethical human being(or organization) that decided to abuse that security hole and use it to steal our information. Not the engineers, not Apple.

When you see an old lady walking alone in the dark, do you steal her purse because she did not protect herself well enough? I'm sure you don't... So please, don't over complicate things.


So when you entrust your belongings to a storage company, and they leave the doors unlocked and your stuff gets stolen, do you get mad at the thief? Or do you demand better security from your storage company?


The timing of this looks right: Struts 2.3.15.1 was released on 7/16/13, and developer.apple.com went down on 7/18/13 for "maintenance". Plenty of time for an enterprising black hat to notice and exploit the vulnerability.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: