Mibbit Hacked

We write to report emerging news of certain elements of Mibbit (an AJAX IRC client service) being hacked. The proof of hack is further backed up by Mibbit’s official statement.

Because of the nature of Mibbit’s front end, your web browser cannot connect directly to IRC. Rather, it has to connect via a Mibbit back end service in order to make a connection. This is comparable in some ways to connecting via a dodgy Russian proxy. The intermediate party (Mibbit in this case and a dodgy Russian in the case of the proxy) can view all transmissions made to IRC and do as they please with that data.

For you, as GeekShed users, this should flag up some major concerns. The first of these is that Mibbit appears to log all private messages. Mibbit has refuted these claims and stated that private messages are only logged when permission has been given by the user. GeekShed questions the legitimacy of this as both parties should surely be complicit in the logging of their conversations on a 3rd party server. We can only assume that this includes messages you sent to GeekShed’s services (NickServ, ChanServ, etc.) when registering and identifying to your nicknames and channels.

We are, as an immediate precaution, recommending that anyone who has registered their nickname or ever identified to it, using Mibbit, changes their password as soon as possible. If you are using the same password for other services such as Facebook, Twitter, E-Mail, etc. we strongly suggest that you change these passwords also to avoid these accounts being compromised.

We also strongly suggest that our users cease to use Mibbit at their earliest convenience. GeekShed offers a flash alternative and also fully supports use of the lightirc client.

To change the password of your nickname, use the following command, when you are identified to that nickname:

/NS SET PASSWORD yournewpasshere

To change the password of your channel, use the following command, when you are identified to the channel founder’s nickname:

/CS SET PASSWORD yournewpasshere

If you have any questions, don’t hesitate to find us in #help.

Tonight’s Problems

It’s been a rough few hours. We are sorry for this. An exploit was found in a 3rd party services module and used against us. This allowed the corruption of the access lists of 2 channels. Although it is fairly obvious from the code that an exploit caused by flawed logic exists, this has gone unnoticed for almost 3 years and it is expected that many more IRC networks will be affected by this.

We will shortly carry out a full audit of all 3rd party modules to check for similar exploits in those. We are sorry for any inconvenience caused.