A hacker managed to get into a GlobalSign server and compromise the company's digital certificate due to a piece of unpatched open source software on the server, according to a C-Level member of GlobalSign staff.
The code had not been updated as it was not included on lists of proprietary software to be patched, the senior GlobalSign staff member told ZDNet UK on Wednesday.
"There was an old version of a component that was unpatched," said the GlobalSign exec. "It was an open-source piece of code that was not included in versioning maintenance."
GlobalSign took the precaution of halting certificate issuance for nine days last September after hacktivist the 'Comodohacker' claimed to have breached the certificate authority's systems. The company tore down and rebuilt its systems after it found its external marketing server had been hacked.
An investigation by security company Fox-IT found that GlobalSign's company certificate had been compromised, potentially allowing an attacker to mimic the company's website. GlobalSign's root certificate, which allows the company to issue certificates that browsers trust to authenticate other websites, had not been compromised.
The machine holding GlobalSign's root certificate is not connected to the internet, the exec told ZDNet UK. To access the root certificate, a person must retrieve the machine from a locked box, insert a number of smart cards, and type in multiple PINs and access codes. The 'Comodohacker' accessed a webserver that was distinct from the company's mailserver, and managed to compromise the company certificate and some PDF files.