At Kanka, we believe in being transparent. Not just about our roadmaps, but about the challenges we face behind the scenes, which is why we recently introduced our developer logs. Today, we’re sharing the details of a security incident we recently identified and resolved which warrants it’s own article.

The “what” and the “when”

On December 28th, an automated bot targeted our server using a newly discovered vulnerability in one of our core tools, Livewire (v3.6.3). This wasn’t a targeted attack against Kanka users specifically, but part of a global “dragnet” scanning thousands of sites during the holiday break.

The attacker’s goal was SEO Poisoning. In simple english: they wanted to turn our servers into a “ghostwriter” that generates invisible spam links to help shady websites rank higher on Google. These invisible spam links would only be visible to Google’s crawlers, and not affect the rest of our users.

The “smoking gun” (and our lucky break)

The attackers successfully placed a “scout” script onto our plugin library servers using the Livewire vulnerability. This script was designed to rewrite our core files and take control of our robots.txt (the file that tells Google how to crawl our site).

In an ironic twist of fate, my own janky setup saved us here.

Some files like our ads.txt and robot.txt files aren’t managed by the codebase, but my own deployment scripts. Turns out, I had deployed them so that only I could change them with a root access, and not the codebase’s user running Kanka’s code. This is technically a blunder on my end (well, it’s bad housekeeping), but it turned out to be our best defence. Because the attacker’s script didn’t have “Superuser” powers, it spent weeks trying (and more importantly, failing) to overwrite those files.

They were essentially trying to move an immovable rod.

Is your data safe?

Yes. We have conducted a thorough audit of our databases, logs, network activity, firewall, the whole lot. Because the attack was focused on “SEO spam”, the malicious code was strictly designed to talk to search engines, not to capture and export user data. We have found no evidence of any user information being accessed or moved.

Kanka’s main app (app.kanka.io) was already running a newer version of Livewire so it wasn’t vulnerable.

What we’ve done to protect ourselves going forward

Even though our setup held them back, we aren’t taking any chances:

• The patch: We have updated Livewire to the latest version, which completely closes the security vulnerability they used to get in.
• The lockdown: We’ve implemented new “Immutable File Protection”. The whole folder of Kanka’s code is now read-only. We also hardened our nginx config, so that even if someone gets a script onto the server now, the server is configured to ignore any requests that isn’t to our official index.php file (so that even if they somehow manage to get files on our servers, they can’t run them).
• The clean-up: We’ve nuked everything and reset the servers to how they were before the exploit.

A Final Word

Security is a journey, not a destination. We’re grateful that our janky file permissions bought us the time to find and kill this threat. We will continue to be transparent with you as we keep hardening our infrastructure.

No action is required on your part, but as always, we recommend using unique passwords for all your online tools.

Happy safe worldbuilding.