GeekShed IRC Network
Mibbit Hacked
We write to report emerging news of certain elements of Mibbit (an AJAX IRC client service) being hacked. The proof of hack is further backed up by Mibbit’s official statement.
Because of the nature of Mibbit’s front end, your web browser cannot connect directly to IRC. Rather, it has to connect via a Mibbit back end service in order to make a connection. This is comparable in some ways to connecting via a dodgy Russian proxy. The intermediate party (Mibbit in this case and a dodgy Russian in the case of the proxy) can view all transmissions made to IRC and do as they please with that data.
For you, as GeekShed users, this should flag up some major concerns. The first of these is that Mibbit appears to log all private messages. Mibbit has refuted these claims and stated that private messages are only logged when permission has been given by the user. GeekShed questions the legitimacy of this as both parties should surely be complicit in the logging of their conversations on a 3rd party server. We can only assume that this includes messages you sent to GeekShed’s services (NickServ, ChanServ, etc.) when registering and identifying to your nicknames and channels.
We are, as an immediate precaution, recommending that anyone who has registered their nickname or ever identified to it, using Mibbit, changes their password as soon as possible. If you are using the same password for other services such as Facebook, Twitter, E-Mail, etc. we strongly suggest that you change these passwords also to avoid these accounts being compromised.
We also strongly suggest that our users cease to use Mibbit at their earliest convenience. GeekShed offers a flash alternative and also fully supports use of the lightirc client.
To change the password of your nickname, use the following command, when you are identified to that nickname:
To change the password of your channel, use the following command, when you are identified to the channel founder’s nickname:
If you have any questions, don’t hesitate to find us in #help.
Because of the nature of Mibbit’s front end, your web browser cannot connect directly to IRC. Rather, it has to connect via a Mibbit back end service in order to make a connection. This is comparable in some ways to connecting via a dodgy Russian proxy. The intermediate party (Mibbit in this case and a dodgy Russian in the case of the proxy) can view all transmissions made to IRC and do as they please with that data.
For you, as GeekShed users, this should flag up some major concerns. The first of these is that Mibbit appears to log all private messages. Mibbit has refuted these claims and stated that private messages are only logged when permission has been given by the user. GeekShed questions the legitimacy of this as both parties should surely be complicit in the logging of their conversations on a 3rd party server. We can only assume that this includes messages you sent to GeekShed’s services (NickServ, ChanServ, etc.) when registering and identifying to your nicknames and channels.
We are, as an immediate precaution, recommending that anyone who has registered their nickname or ever identified to it, using Mibbit, changes their password as soon as possible. If you are using the same password for other services such as Facebook, Twitter, E-Mail, etc. we strongly suggest that you change these passwords also to avoid these accounts being compromised.
We also strongly suggest that our users cease to use Mibbit at their earliest convenience. GeekShed offers a flash alternative and also fully supports use of the lightirc client.
To change the password of your nickname, use the following command, when you are identified to that nickname:
/NS SET PASSWORD yournewpasshere
To change the password of your channel, use the following command, when you are identified to the channel founder’s nickname:
/CS SET PASSWORD yournewpasshere
If you have any questions, don’t hesitate to find us in #help.
August 14, 2011 - 6:10 am
Thanks for your update and it is serious. However, please read Mibbits blog for clarification of what happened, Mibbit doesn’t log anything without permission; http://blogspot.mibbit.com
To say anything else is irresponsible, particularly ‘russian proxy’? :/
August 14, 2011 - 7:29 am
oop http://mibbitblog.blogspot.com
August 20, 2011 - 2:47 pm
Sam: You can assume anything Mibbit has to say on the matter is only lightly touching the issue and referring to their b/s privacy policy to ensure that people still use their service. I would say it is very likely that Mibbit logs personal and private data without the users consent.
October 16, 2012 - 12:58 am
I have a question about the TFLASH client. The client is not really a web client. For example, Verizon blocks GeekShed IRC connections most of the time. I can’t use the TFLASH client when this happens. But the Mibbit client still works regardless. Just wanted to post my experiences.
October 16, 2012 - 5:04 am
TFLASH is a web client. The difference is that TFLASH is the official GeekShed client, and it connects directly to the network. Since Verizon blocks the network, TFLASH cannot connect via Verizon. The Verizon block doesn’t change the reality that TFLASH is a web client.
Mibbit operates as a proxy. You connect to Mibbit, and then Mibbit connects to GeekShed. Verizon only knows that you are connecting to Mibbit. They can’t follow your connection after that.