Delphi: disable or change your welcome page to not use the Embarcadero site (as that site has been hacked twice this weekend)
Posted by jpluimers on 2016/03/14
Initial hack – image via the forums server.
This weekend, the Embarcadero web site was hacked by AnonCoders. Not once (see also [WayBack] G+ link and [WayBack] DelphiPraxis link and [WayBack] image) but at least twice (see also [WayBack] G+ link and [WayBack] image and [WayBack] Delphi Praxis link and [WayBack] image) where the initial hacked simple text “Hacked By AnonCoders ~ Cyber Caliphate” after having been reverted back to the site – hopefully by Embarcadero staff – was replaced with [WayBack] more graphical content later on.
Hack presenting itself in the IDE – image via the forums server.
The Welcome Page inside the Delphi IDE uses the Embarcadero web site, so the Delphi IDE Welcome Page was also affected (see also [WayBack] this G+ link).
Because the IDE uses this on-line content, potentially any code could be executed inside the IDE (apart from that page being loaded over http, so any man-in-the-middle could abuse this, but I digress). This imposes a security risk as many developers run the IDE from accounts having more rights than the average user.
Waiting for an Embarcadero statement
At least until Embarcadero responds with a statement about the hacking (when writing this, they still haven’t), it is wise to disable the Welcome page. Note and [WayBack] I’m not the only one urging Embarcadero to post a statement, any statement, even “working on it” will do.
The second hack – image via Delphi Praxis
Avoid the Embarcadero servers for a while
I’ve avoided the Embarcadero servers myself for a quite long time because their TLS implementation was (and still is) so bad, so I don’t trust them with my personal information.
Now they managed to have [WayBack] https://embarcadero.com redirect to http://www.embarcadero.com as well.
Not long ago, there were also issues on the community server (besides it doing login over plain http) with Japanese adverts like this (luckily [Archive.is] they are gone now) up to the point where [WayBack] even Google suspected the site to be hacked (see below) and worse: [WayBack] Google still thinks it might be.
Disabling the Delphi Welcome Page
Each Delphi version has a “Known IDE Packages” entry in the registry, for instance in [WayBack] delphi – Detailed description of “Known IDE Packages” … – Stack Overflow showing the entry for BDS 9 aka compiler 160 aka Delphi XE (don’t you love version numbers as much as they do? [WayBack] Delphi Dabbler has a reference matrix for them)
[HKEY_CURRENT_USER\Software\Embarcadero\BDS\9.0\Known IDE Packages]having
"$(BDS)\\Bin\\startpageide160.bpl"="Start Page IDE Package"Add an underscore to startpageide160.bpl so it becomes _startpageide160.bpl and restart the Delphi IDE: then the Welcome Page is gone.
Thanks [WayBack] Uwe Raabe for reminding me of that.
Replacing the Welcome Page with a much more useful one
Last year, Daniel Wolf wrote a new Welcome Site plugin for Delphi. His article with instructions to remove the default Welcome page and install the package [WayBack1/WayBack2] Meine Vorstellung einer Willkommens-Seite – IT-Consulting d.wolf is in German so might not have missed it, but the Google Translate: My idea of a welcome page is actually quite OK so it’s worth installing.
The good news: [WayBack] he released a new version today (after a small [WayBack] #lovewins glitch) which you can download from:
- [WayBack] pkgWuppdiWP_XE8_1-0-2.zip (84 KB).
- [WayBack] pkgWuppdiWP_DX10S_1-1-1.zip (85 KB).
- [WayBack] pkgWuppdiWP_DX101B_1-1-1.zip (86 KB).
- [WayBack] pkgWuppdiWP_DX102T_1-1-2.zip (86 KB).
- [WayBack] pkgWuppdiWP_DX103R_1-2-2.zip (90 KB).
Install steps:
- Recursively unpack to
%Public%\Documents\Embarcadero\Studio - Install them from the right Delphi (using menu
Components,Install Packages..., buttonAdd..., browse for the correct bpl file, click theOpenbutton.
After this you can find it under menu View, wuppdi Welcome Page (for Delphi XE8, 10.0 Seattle and 10.1 Berlin) or View, Tool Windows, wuppdi Welcome Page (for Delphi 10.2 Tokyo and up).
Have fun with that!
–jeroen
PS: the Embarcadero forums server loses messages and threads over time, hence quite a few of the links in this article are through saved web.archive.org links. Those links are slow, but at least are retained for much longer than the Embarcadero server does.
Even Google thought the community site could be hacked – image by myself
PPS: I posted these comments at G+ earlier before finding my note “[WayBack] http://community.embarcadero.com (the replacement of the forums server which like the original is down a lot of the time) which for a long time defaulted to http login at http://community.embarcadero.com/login (hopefully it doesn’t do that any more)”:
I’m not surprised. Neither the IT team nor the development team at Embarcadero seem very security aware. QC for instance cannot even use HTTPS to connect to the SOAP server which means your credentials are always sent over the wire in plaintext. The SSL configuration of both their web and mail servers are vulnerable to various attacks. Some of their web sites use plain HTTP for login. The development products only check local things, but not information obtained over the network. App Tethering doesn’t use any form of connection level security (but passwords are salted and hashed). But don’t place anything DLL like in the Delphi bin directory or tamper with anything executable there: it’s either a “quit Delphi now” or “license issue” you will get.
I understand their wish to protect against unlicensed Delphi usage, but wish they cared as much for the security of their customers (and recursive customers of their customers) as they cared about the revenue stream.
and
You have to go through their hacked infrastructure to download/install/register their products.
Until I see a statement detailing which parts of their infrastructure are safe (including grade B or better TLS), I won’t install their products.
It’s not hard to put a proper TLS in front of internal http. [Archive.is] https://pluimers.com does that. Even though it makes little sense, you can even do it for external links: [WayBack] https://pluimers.com/wiert was nothing but a shell around [WayBack] http://wiert.me as an experiment if it would word (as the paid WordPress.com cheaply fails to put the proper domain information [WayBack] https://wiert.me).
The WordPress.com certificate issue (which has been known and unresolved for more than a year) is:
This server could not prove that it is wiert.me; its security certificate is from*.wordpress.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Note that because of the bad WordPress.com certificate issue, you could not have Apache2 redirect https://pluimers.com/wiert to https://wiert.me as you get an error in the log like below, which means that HTTPS certificate checking works (yes I still need to work on the Hint: SSLProxyEngine issue):
[Mon Mar 14 17:21:37.607104 2016] [proxy:debug] [pid 1658] mod_proxy.c(1160): [client 82.161.132.169:46945] AH01143: Running scheme https handler (attempt 0)
[Mon Mar 14 17:21:37.607123 2016] [proxy:debug] [pid 1658] proxy_util.c(2160): AH00942: HTTPS: has acquired connection for (wiert.me)
[Mon Mar 14 17:21:37.607139 2016] [proxy:debug] [pid 1658] proxy_util.c(2213): [client 82.161.132.169:46945] AH00944: connecting https://wiert.me/ to wiert.me:443
[Mon Mar 14 17:21:37.613334 2016] [proxy:debug] [pid 1658] proxy_util.c(2422): [client 82.161.132.169:46945] AH00947: connected / to wiert.me:443
[Mon Mar 14 17:21:37.616892 2016] [proxy:debug] [pid 1658] proxy_util.c(2799): AH02824: HTTPS: connection established with 192.0.78.25:443 (wiert.me)
[Mon Mar 14 17:21:37.616912 2016] [ssl:error] [pid 1658] [remote 192.0.78.25:443] AH01961: SSL Proxy requested for www.pluimers.com:443 but not enabled [Hint: SSLProxyEngine]
[Mon Mar 14 17:21:37.616919 2016] [proxy:error] [pid 1658] AH00961: HTTPS: failed to enable ssl support for 192.0.78.25:443 (wiert.me)
[Mon Mar 14 17:21:37.616926 2016] [proxy:debug] [pid 1658] proxy_util.c(2175): AH00943: HTTPS: has released connection for (wiert.me)
In the mean time, WordPress.com has switched to LetsEncrypt ([WayBack] HTTPS Everywhere: Encryption for All WordPress.com Sites — The WordPress.com Blog), so the above WordPress issues have been resolved.
The Wiert Corner - irregular stream of stuff 
Delphi packages I have disabled by prefixing their description with an underscore (and why) « The Wiert Corner – irregular stream of stuff said
[…] XE8 and below versions are a security risk as tkey directly fetsh information from the embarcadero web-site (wich got hacked a few times in the past). […]
A future Delphi won’t download start page content from the Embarcadero site « The Wiert Corner – irregular stream of stuff said
[…] jpluimers on Delphi: disable or change your… […]
Gordon Niessen said
I commented out the Online banner load in the default.htm page in the C:\Program Files (x86)\Embarcadero\Studio\16.0\Welcomepage folder. It shows I am offline, but I still get to see the recent and favorite projects.
jpluimers said
That’s an interesting trick! Thanks for sharing it.
Michal said
having
“$(BDS)\Bin\startpageide160.bpl”=”_Start Page IDE Package”
jpluimers said
Didn’t try that one yet. Does it work as well?
IL said
Certainly disabling the IDE package the easiest way, especially with D10Distiller. There are many other IDE packages that you might want to disable.
My personal D10 disable list includes:
communitytoolbar
comptoolbar
gdbdebugide
gdbdebugcore
devicemanager
guidedtour
ios32debugide
ios64debugide
sdkmgride
startpage
tgide
trackingsystem!!!
jpluimers said
What does trackingsystem do? What’s D10Distiller?
IL said
Links to the Daniel Wolf’s blog posts on Welcome Page:
https://www.danielwolf.eu/blog/2015/1653-delphi-xe8-willkommensseite-anpassen
https://www.danielwolf.eu/blog/2015/1668-meine-vorstellung-einer-willkommens-seite
Jim McKeeth said
Over the weekend hackers attacked the Embarcadero web site. The hack was confined to the Website CMS front end, which also serves the start page banner. The network was not accessed, and NO customer or internal data was exposed or compromised. The issue was identified and fixed.
IL said
Thanks for noting nice Welcome Page by Daniel Wolf.
Btw, for those who are not registered on delphipraxis.net would be easier to get it at here https://www.danielwolf.eu/blog/2015/1507-delphi-xe8-moderntheme-anpassen
Steven Kamradt said
and there is even a 10.1 Berlin version now available, although it appears that the Berlin welcome screen no longer has the banners on it, but is still browser based. Also the stock Berlin welcome screen still doesn’t have categories for favorites, so the Daniel Wolf welcome page is a must if you have lots of favorites that need more organization.
Steven Kamradt said
Helps if I include the link for both of them. :)
https://www.danielwolf.eu/blog/2015/1668-meine-vorstellung-einer-willkommens-seite