velik_m
11-18-2013, 08:35 AM
Forums software maker vBulletin has been breached by hackers who got access to customer password data and other personal information, in a compromise that has heightened speculation there may be a critical vulnerability that threatens websites that run the widely used program.
"Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password," vBulletin Technical Support Lead Wayne Luke wrote in a post published Friday evening. "Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password."
The warning came three days after user forums for MacRumors—itself a user of vBulletin—suffered a security breach that exposed cryptographically hashed passwords for more than 860,000 users. When describing the attack, MacRumors Editorial Director Arnold Kim said the compromise in many ways resembled the July hack of the Ubuntu user forums, which also ran on vBulletin.
The speculation that there's a critical vulnerability in vBulletin goes well beyond the compromise of three websites that use the program. On Thursday—more than 24 hours before vBulletin warned of the security breach on its site—members of the Inject0r hacking team published this Facebook post claiming they had hacked vBulletin.com.
They also said they were they hackers behind the MacRumors compromise, and went on to say they were able to take control of the site using log-in credentials for a MacRumors moderator account taken during the vBulletin attack. As Ars previously reported, the starting point of the MacRumors compromise was a moderator account that was somehow accessed. On Sunday night, Kim of MacRumors confirmed to Ars that the user name and password for the compromised moderator account were, in fact, the same ones the account holder used on vBulletin.com.
To summarize, then: The Inject0r Team members claimed they breached vBulletin.com by exploiting a previously undocumented vulnerability in the vBulletin software. They then went on to use their privileged access to obtain login credentials for the MacRumors moderator account. After logging in to the account, they then made off with the password hashes for 860,106 MacRumors accounts.
"We got shell , database and root server," the Inject0r Team Facebook post claimed. "We wanted to prove that nothing in this world is not safe. We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x."
At time of writing, it wasn't possible to corroborate the account. vBulletin officials didn't respond to an e-mail seeking comment for this post. Still, the timing of Inject0r Team Facebook post claiming the hack of vBulletin.com—coming as it did, more than 24 hours before vBulletin made it public—lends credibility to the post. Also consistent is Kim's confirmation that the login credentials for the compromised moderator account on MacRumors were also used on the hacked vBulletin.com.
Kim isn't the only one who found the Inject0r Team claims of a zero-day in vBulletin plausible. User forums for the Defcon hacker conference were temporarily shut on Sunday night once word began to spread there may be a critical hole in the current releases of forum software.
"We have disabled the forums until there is resolution on a possible vulnerability," the forum landing page read. "Once we have a fix/patch installed, we'll re-open service."
The Inject0r Team website claims to be selling attack code that exploits the vBulletin vulnerability and offers screen shots said to prove the root compromises are real. Those claims also couldn't be corroborated at time of writing, although there were nothing obvious to disprove them. MacRumors, which Kim said runs version 3 of vBulletin, remained operational at time of writing.
Readers who operate websites that run on versions 4 or 5 of vBulletin should consider following Defcon's example and disabling their user forums—at least until vBulletin officials provide assurances there are no known vulnerabilities in their software and offer an explanation of the attack that hit their site. To be clear, there is no confirmation of the claim hackers have a reliable exploit for a critical vulnerability in fully patched versions of the software. That said, the events of the past five days give good reason for concern. This article will be updated if vBulletin officials break their silence and provide much-needed guidance about their software.
http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/
"Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password," vBulletin Technical Support Lead Wayne Luke wrote in a post published Friday evening. "Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password."
The warning came three days after user forums for MacRumors—itself a user of vBulletin—suffered a security breach that exposed cryptographically hashed passwords for more than 860,000 users. When describing the attack, MacRumors Editorial Director Arnold Kim said the compromise in many ways resembled the July hack of the Ubuntu user forums, which also ran on vBulletin.
The speculation that there's a critical vulnerability in vBulletin goes well beyond the compromise of three websites that use the program. On Thursday—more than 24 hours before vBulletin warned of the security breach on its site—members of the Inject0r hacking team published this Facebook post claiming they had hacked vBulletin.com.
They also said they were they hackers behind the MacRumors compromise, and went on to say they were able to take control of the site using log-in credentials for a MacRumors moderator account taken during the vBulletin attack. As Ars previously reported, the starting point of the MacRumors compromise was a moderator account that was somehow accessed. On Sunday night, Kim of MacRumors confirmed to Ars that the user name and password for the compromised moderator account were, in fact, the same ones the account holder used on vBulletin.com.
To summarize, then: The Inject0r Team members claimed they breached vBulletin.com by exploiting a previously undocumented vulnerability in the vBulletin software. They then went on to use their privileged access to obtain login credentials for the MacRumors moderator account. After logging in to the account, they then made off with the password hashes for 860,106 MacRumors accounts.
"We got shell , database and root server," the Inject0r Team Facebook post claimed. "We wanted to prove that nothing in this world is not safe. We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x."
At time of writing, it wasn't possible to corroborate the account. vBulletin officials didn't respond to an e-mail seeking comment for this post. Still, the timing of Inject0r Team Facebook post claiming the hack of vBulletin.com—coming as it did, more than 24 hours before vBulletin made it public—lends credibility to the post. Also consistent is Kim's confirmation that the login credentials for the compromised moderator account on MacRumors were also used on the hacked vBulletin.com.
Kim isn't the only one who found the Inject0r Team claims of a zero-day in vBulletin plausible. User forums for the Defcon hacker conference were temporarily shut on Sunday night once word began to spread there may be a critical hole in the current releases of forum software.
"We have disabled the forums until there is resolution on a possible vulnerability," the forum landing page read. "Once we have a fix/patch installed, we'll re-open service."
The Inject0r Team website claims to be selling attack code that exploits the vBulletin vulnerability and offers screen shots said to prove the root compromises are real. Those claims also couldn't be corroborated at time of writing, although there were nothing obvious to disprove them. MacRumors, which Kim said runs version 3 of vBulletin, remained operational at time of writing.
Readers who operate websites that run on versions 4 or 5 of vBulletin should consider following Defcon's example and disabling their user forums—at least until vBulletin officials provide assurances there are no known vulnerabilities in their software and offer an explanation of the attack that hit their site. To be clear, there is no confirmation of the claim hackers have a reliable exploit for a critical vulnerability in fully patched versions of the software. That said, the events of the past five days give good reason for concern. This article will be updated if vBulletin officials break their silence and provide much-needed guidance about their software.
http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/