Attacks/Breaches
11/18/2013
12:10 PM
Connect Directly
RSS
E-Mail
50%
50%

vBulletin.com Hacked, Customer Data Stolen

"Inj3ct0r Team" hackers claim they employed vBulletin zero-day bug to take down both vBulletin.com and MacRumors, offer to sell related exploit.

Are all recent versions of the vBulletin online forum software vulnerable to a zero-day exploit that would give attackers full access to the targeted system?

That's the claim being made by European hacking group "Inj3ct0r Team," which Thursday took to Facebook to take credit for recently hacking, not only Macrumors.com, but also vBulletin.com, both of which run on vBulletin's forum software.

That claim led to vBulletin Friday issuing a hacking alert to its customers. Said Wayne Luke, vBulletin's technical support lead, in the security alert:

Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

[ "Stop worrying," says MacRumors hacker known as Lol. Read more at MacRumors Hacker Promises Stolen Passwords Are Safe. ]

News of the vBulletin exploit led numerous organizations to take their forums offline, pending more information and a patch. "We have disabled the forums until there is resolution on a possible vulnerability," read the notice on the Def Con hacking conference forums.

As yet, vBulletin hasn't released a patch or provided further information about how attackers might have gained access to its system.

But Inj3ct0r Team Thursday claimed to have discovered a "0day exploit" for vBulletin's forum software. "We found a critical vulnerability in vBulletin all versions 4.x.x and 5.õ.x," read the group's Facebook post. "We've got upload shell in vBulletin server, [downloaded] database and got root." In other words, the group claimed to have obtained direct access to vBulletin's server and downloaded a user database, which it cracked offline, thus revealing the login details for an administrator account with root-level access, which would have given attackers full access to all information being stored on vBulletin.com.

If Inj3ct0r Team's claims are accurate, part of the blame for the attack must be placed on vBulletin, because its forum software stores passwords using the MD5 cryptographic algorithm. Security experts regard MD5 as unfit for securing passwords -- no matter how it might be used -- because it's so easy to crack via offline attacks.

Likewise, two-factor authentication might have prevented vBulletin's data breach by requiring anyone who wanted to access an administrator account to provide a second factor, provided, for example, via a Google Authenticator code or a one-time code texted to a preset mobile phone number. But numerous online discussion threads suggest that vBulletin's software doesn't currently allow for two-factor authentication. In addition, the company declined to respond to an emailed request for comment, sent Thursday, about whether two-factor authentication could be added to its forum software and, if not, when the company might make this feature available.

In the case of the Apple enthusiast site MacRumors.com, which was hacked Monday, the attackers -- again Inj3ct0r Team -- obtained 860,000 usernames, email addresses, and encrypted credentials. But in a series of posts to the MacRumors.com forums, one of the attackers promised not to leak the data or harm people "unless we target you specifically for some unrelated reason."

What was the attackers' impetus for hacking those two sites? Money is the most likely explanation, since Inj3ct0r Team's Thursday hacking boast included -- for "all those wishing to buy a vulnerability and patch your forum" -- a link to purchase the "vBulletin v4.x.x and 5.õ.x Shell Upload / Remote Code Execute (0day)" via the Inj3ct0r website, which describes itself as "the ultimate database of exploits and vulnerabilities."

Since the author of the vBulletin website is listed as being "1337Day Team" -- 1337 is hacker-speak for "elite" -- and the site accepts payment in the form of "1337Day Gold" (one piece of gold equals one dollar), it appears that the Inj3ct0r site is run by the same group that discovered the zero-day vBulletin bug, which is priced at $7,000.

Update: A spokesman for Internet Brands -- the parent company of vBulletin -- emailed Monday to say the company had dismissed Inj3ct0r Team's claimed discovery of a zero-day vulnerability in the company's online forum software. "Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin," read a related blog post from vBulletin's Luke, which was released after the above story ran. "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software."

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. The The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make it work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
samicksha
50%
50%
samicksha,
User Rank: Apprentice
11/19/2013 | 3:36:20 AM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I read about vBulletin breach prompts password reset, I am suprised how come attackers managed using a zero-day flaw that is now being sold in several places online, I guess cross site scripting can be intervened into most forum site.
Ariella
50%
50%
Ariella,
User Rank: Apprentice
11/18/2013 | 5:44:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
@jemison288 I know exactly what you mean. It's like having a car with a good warranty that frequently needs repairs that are covered. On the one hand, it's good that the dealer fixes everything, but, on the other hand, you'd really prefer to be spared the inconvenience of things breaking on it in the first place.
jemison288
100%
0%
jemison288,
User Rank: Apprentice
11/18/2013 | 3:40:39 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I don't know if I agree with that.  It's like saying, "I know it breaks a lot, but they have great customer support!"  Screw that, I'd rather have something that never breaks with crappy customer support--I won't need it.  (Early days of AWS were basically like that).
kjhiggins
100%
0%
kjhiggins,
User Rank: Strategist
11/18/2013 | 3:34:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
Not to downplay this breach, but your point about vBulletin patching almost weekly is actually relativley promising. Patching regularly is better than not patching at all.
jemison288
100%
0%
jemison288,
User Rank: Apprentice
11/18/2013 | 2:56:00 PM
If you didn't realize vbulletin is insecure, you weren't paying attention
VBulletin sends out something like a patch a week due to security problems.  Anyone still running vbulletin--after, say, 2008--is either asleep at the wheel or decided that the inevitability of being hacked through vbulletin was a reasonable risk.

Seriously--vbulletin, joomla, and a host of other popular PHP "applications" are so large and full of security holes that they're essentially impossible to secure.  No one with a serious business should be using any of them.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Apprentice
11/18/2013 | 12:41:21 PM
Big-name brands
Considering the big-name brands that have built their forums using vBulletins, if I were any of those organizations I'd be pretty worried right now.

The question, of course, is what kind of data is stored in those forums. Pearl Jam (the band) sells tickets and merchandise through its website, but does that information touch the vBulletin forum porition of their site? What about Sony Pictures or EA?

According to the vBulletin site, NASA even uses its software for their forums.

I hope all the companies that use this service are monitoring closely and checking for exploits.
Whoopty
0%
100%
Whoopty,
User Rank: Moderator
11/18/2013 | 12:29:45 PM
Phew
I'm not as worried by this now as I would have been a few years ago. It's been a while since I used a forum regularly. Now it's more common threads like this and social networks. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.