Hackers managed to compromise the website of Comodo Brazil and extracted sensitive information about the company's SSL certificate customers.It seems the attack vector used in this case was SQL injection. A partial database dump was posted on pastebin.com Saturday together with information about the vulnerability.
The compromised data includes certificate authority name, email, fax, phone number, order number, certficate request, private key file name and other details.
Customer details like organization names, addresses, telephones, domain names, type of web servers, serial numbers and more, are also included.
There is also a list of what appears to be employee accounts, with @comdobr.com email addresses and hashed passwords. The password for an account called firstname.lastname@example.org (validation@) is listed in plain text.
The password was most likely posted like this intentionally by attackers, because all hashes appear to be unsalted MD5 and are trivial to crack.
This is not the first time when Comodo had security problems with its subsidiaries. Earlier this year an Iranian hacker broke into the network of a Comodo reseller in Italy using SQL injection and stole a password for requesting certficates.
This allowed the attacker to obtain rogue SSL certificates for several high profile domains including mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.
The incident cast serious doubts over the trust chain of the public key infrastructure (PKI) and the practices of SSL certification authorities.
The discussion is still ongoing and major software vendors are searching for solutions to strengthen the certificate verification process and prevent website impersonation in the future.
Following the breach, two more Comodo registration authorities were compromised, prompting the company to announce restrictions for resellers. This new compromise certainly doesn't help its case.