A vulnerability in the ColdFusion Web server platform, reported by Adobe less than a week ago, has apparently been in the wild for almost a month and has allowed the hacking of at least one company website, exposing customer data. Yesterday, it was revealed that the virtual server hosting company Linode had been the victim of a multi-day breach that allowed hackers to gain access to customer records.

The breach was made possible by a vulnerability in Adobe's ColdFusion server platform that could, according to Adobe, "be exploited to impersonate an authenticated user." A patch had been issued for the vulnerability on April 9 and was rated as priority "2" and "important." Those ratings placed it at a step down from the most critical, indicating that there were no known exploits at the time the patch was issued but that data was at risk. Adobe credited "an anonymous security researcher," with discovering the vulnerability.

But according to IRC conversation including one of the alleged hackers of the site, Linode's site had been compromised for weeks before its discovery. That revelation leaves open the possibility that other ColdFusion sites have been compromised as hackers sought out targets to use the exploit on.

ColdFusion is a Java-based Web server platform that interprets its own proprietary markup language in page code to access server-side application components and data. It has had a large installed base in the government sector and other markets, but its market share has been in decline for some time, and the technology has seen little change since 2009. In 2011, Adobe announced it was moving the whole of ColdFusion development to India.

The element attacked is its user authentication component, cflogin. In March, a ColdFusion user reported encountering errors in cflogin he believed were because of attempted hack attacks. "I've now seen cflogin throw an error twice now with bad input at—I believe—the cookie level," he reported to Adobe's bug tracker.

By exploiting the login vulnerability, the hackers were able to gain access to the Linode server itself and to the site's code. Through the code, they were able to obtain the login credentials to Linode's database and stole customer data that included hashed passwords, encrypted credit card data, and the unencrypted last four digits of credit cards used for verification purposes. Customer keys for Linode's deployment and management APIs were also exposed.

Linode has expired those keys and is re-issuing them. Linode representatives said in a blog post that it has "no evidence decrypted credit card numbers were obtained" and added that the encryption key for credit card data was not stored on the server and was "not guessable, sufficiently long and complex, not based on dictionary words, and not stored anywhere but in our heads."

Ars has contacted Linode for comment on the breach, but a spokesperson said it may be several days before the company will respond with further information.

Listing image by Ryan Somma