When Messaging Services are Vulnerable: The HipChat Case
What’s the news?
HipChat, a messaging and collaboration app for teams, has notified the users that its database was breached resulting in the leak of names, email addresses, and passwords. In addition, there is a possibility that the metadata about the groups of the companies in the service was accessed by third parties, including the name and the topic of the rooms. In less than 1% of instances, the content of the messages may also have been compromised.
While 89 percent of organizations have experienced data breaches and the alarming 60% of companies don’t report data breaches at all, the official statement was published by the HipChat Chief Security Officer. The company is transparent, it has addressed the vulnerability instantly and works together with law enforcement authorities to investigate the case. The users of HipChat that were not connected to the third-party library with the unpatched vulnerability were not affected, and other Atlassian-owned services, including Trello and Jira, are claimed to be safe. However, the question is — what should you do to stay private and avoid every possibility of being a victim in a situation like this?
«Our Security Intelligence Team detected a security incident affecting a server in the HipChat Cloud web tier. We believe this incident may have resulted in unauthorized access to content from the HipChat.com service. Room metadata (including room name and room topic) may have also been accessed». — HipChat blog.
Is my data safe?
First, if you are using HipChat, you should change your login details for the service and for other services you use as well, if the passwords are similar and easy to guess. It is possible that the attackers got access to messages and content in private chats. This is true only for less than 0.05 per cent of instances, but who would want to constitute this percent? In many cases, the data obtained malevolently might lead to further hacker activities who would check other services this user is connected to. In some cases this means inconveniences and embarrassment, in other cases this may cause career or money loss, or family scandals.
HipChat did not specify which blunder in the library the hackers have exploited to access the cloud server of the service. The intruders may have obtained the metadata about the group chats, including room names and topics. As a HipChat user and also always, be aware of possible phishing emails, as when the hackers need the clues to someone’s assets, they may try to get additional information by fooling their victims with fake letters where unwary users may willingly provide their data.
Data leaks of this kind are made worse because the databases of user credentials stolen earlier, together with the newly gained information might provide even broader opportunities for hackers to steal data and money. It’s easy to cross reference a name, a nickname, or an email to find more valuable information.
How to ensure safety
The information publicly announced by HipChat is probably not quite accurate. There is a strange distribution of the compromised data. Intruders accessed only a part of the system, and not all users were affected, but only a small percentage. The real reason may be not in the allegedly compromised server, but in a more complex problem, and the data might have been leaking gradually. For example, when employing a vulnerable third party library too much data was transmitted unchecked to the client.
In VIPole, the contents of the history of the users and teams that use the service cannot be accessed by unauthorized people due to service architecture. Security is ensured by design, and only users themselves have access to their encryption keys. Brute force decryption of sensitive information would take thousands of years, it’s simply impractical. Evidently, it’s crucial to set strong passphrases. The use of the Enterprise VIPole version further reduces the risk of the servers being compromised, since in this case the software for corporate communications is installed on premise and is fully controlled in-house.
When security counts, you’d better use an app that will encrypt all types of data end-to-end during transmission, while it is stored locally on your device and when stored on the server as well.
Why web-based chats make secure services vulnerable
HipChat is a web service, and they are generally more vulnerable than applications with end-to-end security. While some companies offer both apps and web services, even those messengers that employ encryption become vulnerable in the web version. The recent case when malware was spread together with images in WhatsApp is yet another provement of the sad truth that the http protocol provides too many loopholes for violations. Hackers often take the advantage of the “input validation” flaws. When a photo or a video is transmitted, the code may contain malicious commands in the browser of the user. See, taking over a web-based service is not a hard thing to do:
Chatting via a web-based service is as risky as it is convenient. If you value your privacy and the confidentiality of your corporate data, use the applications with end-to-end encryption that require installation, it takes more time, but one day it might save you when it turns out that the communication service provider has employed a third party library with weak security protection. If you are using a messaging app with a web version, you’re safer while within the app on your device.
VIPole offers end-to-end encrypted messaging and collaboration solutions for teams and enterprises dealing with commercially or personally sensitive information, and individuals wishing to protect themselves from hackers, identity thieves and malware. More at www.vipole.com
