Vulnerabilities / Threats
11/14/2013
09:46 AM
Connect Directly
RSS
E-Mail
50%
50%

MacRumors Hacker Promises Stolen Passwords Are Safe

Hacker grabbed 860,000 passwords for fun, but promises not to leak or use them to harm people.

The hacker behind Monday's breach of an Apple-related rumor and news website has promised to not leak any of the 860,000 passwords he stole.

But the hacker -- known as "lol" -- said that any users who'd reused the same password on other sites had only themselves to blame. "We're not terrorists," he said. "Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."

The MacRumors website disclosed the breach Tuesday, saying that an attacker accessed a moderator account for the vBulletin software -- sold by Internet Brands -- that runs its online forums, then managed to escalate their access privileges, and dump a database containing usernames, email addresses and passwords, which were hashed and salted. The site recommended that all users immediately change their password for MacRumors, as well as any other site for which they'd used the same password.

"We sincerely apologize for the intrusion, and are still investigating the attack with the help of a third-party security researcher," said "MacRumors god" Arn Kim. "We believe that at least some user information was obtained during the attack," including passwords, he added. "They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time."

In a series of MacRumors forum posts, Lol confirmed Wednesday that he'd dumped the forum database and obtained usernames, email addresses, and salted and hashed passwords for 860,106 users. As proof that he was behind the hack, lol also published the first 16 bits of Kim's old password hash, as well as the salt used for the password. But lol promised not to leak or even crack the passwords, or use the information to hack into people's Gmail, Apple, Yahoo or other accounts, "unless we target you specifically for some unrelated reason.

"Consider the 'malicious' attack friendly," said lol. "The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."

Why hack the site? "To test myself," he said in an online post. "I never defaced the site, I never bragged about it anywhere, I just got in and got out."

In response to criticism that he should have alerted the website administrator to the flaw, rather than simply stealing the passwords, lol said that he sometimes contributes in a less black hat fashion to the greater good. "Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc." he said.

Interestingly, lol also lauded MacRumors for quickly warning users about the breach, and detailing precisely what happened. "Many other huge companies and corporations, probably some that you're all registered to, have taken days, weeks, or even never, to report a compromise. You should be thankful," he said.

Tripwire security researcher Ken Westin echoed that assessment. "The straightforward approach that MacRumors has taken with regards to the breach is to be commended," he said in a blog post. "Instead of attempting to cover up the breach, or make assumptions regarding the level of security the hashed passwords provided, they were quite up front with their community."

The MacRumors breach is a reminder to never reuse passwords across different websites. Facebook, amongst other sites, recently revealed that it has been watching for users who reuse passwords -- by mining plaintext data dumps from hackers or third-party researchers with access to stolen data -- and forcing them to verify their identity and change their password when next they log in.

"To help manage distinct passwords for every website, you can use a password manager such as Lastpass, 1Password or iCloud keychain in Mavericks," said Kim at MacRumors.

This isn't the first hack to involve vBulletin software. Notably, the forum software was compromised earlier this year in a hack of Apple's developer portal. In that case, a hacker named "Sput" who claimed credit likewise promised not to crack or leak the stolen passwords. "You don't have to worry about a DB leak. That isn't how I like to do things," he said in an online post.

In the case of MacRumors, however, lol said that the vBulletin software wasn't to blame for the breach, saying instead that "the fault lied within a single moderator." That suggests that a MacRumors moderator chose an insecure password, which lol either guessed, or matched using a dictionary attack, which attempts to guess passwords by using an exhaustive list of likely matches.

On the other hand, MacRumors breach disclosure said the hack attack appeared to be similar to a July hack of the Ubuntu forums. According to Ubuntu's attack postmortem, the hacker gained access to a moderator's account, then tricked another moderator with higher privileges into looking at a post on the site that likely contained a cross-site scripting attack that grabbed the other administrator's vBulletin cookie. Once the attacker had the cookie, then he had full access to the entire site. The Ubuntu forum administrators said they'd made a number of changes to the default vBulletin site to help prevent repeat attacks.

Another defense against lol's hack would have been to secure all MacRumors moderator accounts using two-factor authentication. A vBulletin spokesman didn't immediately respond to an emailed request for comment about whether two-factor authentication can be used with the forum software, but multiple posts to vBulletin's forums suggest this isn't currently possible.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
majenkins
50%
50%
majenkins,
User Rank: Apprentice
11/14/2013 | 7:48:15 PM
re: MacRumors Hacker Promises Stolen Passwords Are Safe
I am with you ThomasClaburn. Anyone that trusts this person not to disclose or use this information is being very naive, and I just happen to have a nice bridge I will sell them real cheap.
Kelly22
50%
50%
Kelly22,
User Rank: Apprentice
11/14/2013 | 7:44:56 PM
re: MacRumors Hacker Promises Stolen Passwords Are Safe
I'm with you on that. After news of this "friendly" attack, I'll definitely be making a few password changes. I guess it could have been worse, but I'd still feel uneasy with my info under lol's control.
jameane
50%
50%
jameane,
User Rank: Apprentice
11/14/2013 | 7:38:37 PM
re: MacRumors Hacker Promises Stolen Passwords Are Safe
I guess it is time to update my Macrumors password. I joined so long ago, I don't have that username anywhere else!
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
11/14/2013 | 7:24:57 PM
re: MacRumors Hacker Promises Stolen Passwords Are Safe
Somehow that promise not to leak the passwords isn't very comforting.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.