12:10 PM
50% Hacked, Customer Data Stolen

"Inj3ct0r Team" hackers claim they employed vBulletin zero-day bug to take down both and MacRumors, offer to sell related exploit.

Are all recent versions of the vBulletin online forum software vulnerable to a zero-day exploit that would give attackers full access to the targeted system?

That's the claim being made by European hacking group "Inj3ct0r Team," which Thursday took to Facebook to take credit for recently hacking, not only, but also, both of which run on vBulletin's forum software.

That claim led to vBulletin Friday issuing a hacking alert to its customers. Said Wayne Luke, vBulletin's technical support lead, in the security alert:

Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

[ "Stop worrying," says MacRumors hacker known as Lol. Read more at MacRumors Hacker Promises Stolen Passwords Are Safe. ]

News of the vBulletin exploit led numerous organizations to take their forums offline, pending more information and a patch. "We have disabled the forums until there is resolution on a possible vulnerability," read the notice on the Def Con hacking conference forums.

As yet, vBulletin hasn't released a patch or provided further information about how attackers might have gained access to its system.

But Inj3ct0r Team Thursday claimed to have discovered a "0day exploit" for vBulletin's forum software. "We found a critical vulnerability in vBulletin all versions 4.x.x and 5.õ.x," read the group's Facebook post. "We've got upload shell in vBulletin server, [downloaded] database and got root." In other words, the group claimed to have obtained direct access to vBulletin's server and downloaded a user database, which it cracked offline, thus revealing the login details for an administrator account with root-level access, which would have given attackers full access to all information being stored on

If Inj3ct0r Team's claims are accurate, part of the blame for the attack must be placed on vBulletin, because its forum software stores passwords using the MD5 cryptographic algorithm. Security experts regard MD5 as unfit for securing passwords -- no matter how it might be used -- because it's so easy to crack via offline attacks.

Likewise, two-factor authentication might have prevented vBulletin's data breach by requiring anyone who wanted to access an administrator account to provide a second factor, provided, for example, via a Google Authenticator code or a one-time code texted to a preset mobile phone number. But numerous online discussion threads suggest that vBulletin's software doesn't currently allow for two-factor authentication. In addition, the company declined to respond to an emailed request for comment, sent Thursday, about whether two-factor authentication could be added to its forum software and, if not, when the company might make this feature available.

In the case of the Apple enthusiast site, which was hacked Monday, the attackers -- again Inj3ct0r Team -- obtained 860,000 usernames, email addresses, and encrypted credentials. But in a series of posts to the forums, one of the attackers promised not to leak the data or harm people "unless we target you specifically for some unrelated reason."

What was the attackers' impetus for hacking those two sites? Money is the most likely explanation, since Inj3ct0r Team's Thursday hacking boast included -- for "all those wishing to buy a vulnerability and patch your forum" -- a link to purchase the "vBulletin v4.x.x and 5.õ.x Shell Upload / Remote Code Execute (0day)" via the Inj3ct0r website, which describes itself as "the ultimate database of exploits and vulnerabilities."

Since the author of the vBulletin website is listed as being "1337Day Team" -- 1337 is hacker-speak for "elite" -- and the site accepts payment in the form of "1337Day Gold" (one piece of gold equals one dollar), it appears that the Inj3ct0r site is run by the same group that discovered the zero-day vBulletin bug, which is priced at $7,000.

Update: A spokesman for Internet Brands -- the parent company of vBulletin -- emailed Monday to say the company had dismissed Inj3ct0r Team's claimed discovery of a zero-day vulnerability in the company's online forum software. "Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin," read a related blog post from vBulletin's Luke, which was released after the above story ran. "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software."

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. The The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make it work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/19/2013 | 3:36:20 AM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I read about vBulletin breach prompts password reset, I am suprised how come attackers managed using a zero-day flaw that is now being sold in several places online, I guess cross site scripting can be intervened into most forum site.
User Rank: Apprentice
11/18/2013 | 5:44:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
@jemison288 I know exactly what you mean. It's like having a car with a good warranty that frequently needs repairs that are covered. On the one hand, it's good that the dealer fixes everything, but, on the other hand, you'd really prefer to be spared the inconvenience of things breaking on it in the first place.
User Rank: Apprentice
11/18/2013 | 3:40:39 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I don't know if I agree with that.  It's like saying, "I know it breaks a lot, but they have great customer support!"  Screw that, I'd rather have something that never breaks with crappy customer support--I won't need it.  (Early days of AWS were basically like that).
User Rank: Strategist
11/18/2013 | 3:34:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
Not to downplay this breach, but your point about vBulletin patching almost weekly is actually relativley promising. Patching regularly is better than not patching at all.
User Rank: Apprentice
11/18/2013 | 2:56:00 PM
If you didn't realize vbulletin is insecure, you weren't paying attention
VBulletin sends out something like a patch a week due to security problems.  Anyone still running vbulletin--after, say, 2008--is either asleep at the wheel or decided that the inevitability of being hacked through vbulletin was a reasonable risk.

Seriously--vbulletin, joomla, and a host of other popular PHP "applications" are so large and full of security holes that they're essentially impossible to secure.  No one with a serious business should be using any of them.
User Rank: Apprentice
11/18/2013 | 12:41:21 PM
Big-name brands
Considering the big-name brands that have built their forums using vBulletins, if I were any of those organizations I'd be pretty worried right now.

The question, of course, is what kind of data is stored in those forums. Pearl Jam (the band) sells tickets and merchandise through its website, but does that information touch the vBulletin forum porition of their site? What about Sony Pictures or EA?

According to the vBulletin site, NASA even uses its software for their forums.

I hope all the companies that use this service are monitoring closely and checking for exploits.
User Rank: Ninja
11/18/2013 | 12:29:45 PM
I'm not as worried by this now as I would have been a few years ago. It's been a while since I used a forum regularly. Now it's more common threads like this and social networks. 
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio