Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


vBulletin.com Hacked, Customer Data Stolen

"Inj3ct0r Team" hackers claim they employed vBulletin zero-day bug to take down both vBulletin.com and MacRumors, offer to sell related exploit.

Are all recent versions of the vBulletin online forum software vulnerable to a zero-day exploit that would give attackers full access to the targeted system?

That's the claim being made by European hacking group "Inj3ct0r Team," which Thursday took to Facebook to take credit for recently hacking, not only Macrumors.com, but also vBulletin.com, both of which run on vBulletin's forum software.

That claim led to vBulletin Friday issuing a hacking alert to its customers. Said Wayne Luke, vBulletin's technical support lead, in the security alert:

Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

[ "Stop worrying," says MacRumors hacker known as Lol. Read more at MacRumors Hacker Promises Stolen Passwords Are Safe. ]

News of the vBulletin exploit led numerous organizations to take their forums offline, pending more information and a patch. "We have disabled the forums until there is resolution on a possible vulnerability," read the notice on the Def Con hacking conference forums.

As yet, vBulletin hasn't released a patch or provided further information about how attackers might have gained access to its system.

But Inj3ct0r Team Thursday claimed to have discovered a "0day exploit" for vBulletin's forum software. "We found a critical vulnerability in vBulletin all versions 4.x.x and 5.õ.x," read the group's Facebook post. "We've got upload shell in vBulletin server, [downloaded] database and got root." In other words, the group claimed to have obtained direct access to vBulletin's server and downloaded a user database, which it cracked offline, thus revealing the login details for an administrator account with root-level access, which would have given attackers full access to all information being stored on vBulletin.com.

If Inj3ct0r Team's claims are accurate, part of the blame for the attack must be placed on vBulletin, because its forum software stores passwords using the MD5 cryptographic algorithm. Security experts regard MD5 as unfit for securing passwords -- no matter how it might be used -- because it's so easy to crack via offline attacks.

Likewise, two-factor authentication might have prevented vBulletin's data breach by requiring anyone who wanted to access an administrator account to provide a second factor, provided, for example, via a Google Authenticator code or a one-time code texted to a preset mobile phone number. But numerous online discussion threads suggest that vBulletin's software doesn't currently allow for two-factor authentication. In addition, the company declined to respond to an emailed request for comment, sent Thursday, about whether two-factor authentication could be added to its forum software and, if not, when the company might make this feature available.

In the case of the Apple enthusiast site MacRumors.com, which was hacked Monday, the attackers -- again Inj3ct0r Team -- obtained 860,000 usernames, email addresses, and encrypted credentials. But in a series of posts to the MacRumors.com forums, one of the attackers promised not to leak the data or harm people "unless we target you specifically for some unrelated reason."

What was the attackers' impetus for hacking those two sites? Money is the most likely explanation, since Inj3ct0r Team's Thursday hacking boast included -- for "all those wishing to buy a vulnerability and patch your forum" -- a link to purchase the "vBulletin v4.x.x and 5.õ.x Shell Upload / Remote Code Execute (0day)" via the Inj3ct0r website, which describes itself as "the ultimate database of exploits and vulnerabilities."

Since the author of the vBulletin website is listed as being "1337Day Team" -- 1337 is hacker-speak for "elite" -- and the site accepts payment in the form of "1337Day Gold" (one piece of gold equals one dollar), it appears that the Inj3ct0r site is run by the same group that discovered the zero-day vBulletin bug, which is priced at $7,000.

Update: A spokesman for Internet Brands -- the parent company of vBulletin -- emailed Monday to say the company had dismissed Inj3ct0r Team's claimed discovery of a zero-day vulnerability in the company's online forum software. "Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin," read a related blog post from vBulletin's Luke, which was released after the above story ran. "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software."

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. The The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make it work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/18/2016 | 7:26:03 AM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
As he sees no one is safe.
User Rank: Apprentice
11/19/2013 | 3:36:20 AM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I read about vBulletin breach prompts password reset, I am suprised how come attackers managed using a zero-day flaw that is now being sold in several places online, I guess cross site scripting can be intervened into most forum site.
User Rank: Apprentice
11/18/2013 | 5:44:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
@jemison288 I know exactly what you mean. It's like having a car with a good warranty that frequently needs repairs that are covered. On the one hand, it's good that the dealer fixes everything, but, on the other hand, you'd really prefer to be spared the inconvenience of things breaking on it in the first place.
User Rank: Apprentice
11/18/2013 | 3:40:39 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I don't know if I agree with that.  It's like saying, "I know it breaks a lot, but they have great customer support!"  Screw that, I'd rather have something that never breaks with crappy customer support--I won't need it.  (Early days of AWS were basically like that).
User Rank: Strategist
11/18/2013 | 3:34:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
Not to downplay this breach, but your point about vBulletin patching almost weekly is actually relativley promising. Patching regularly is better than not patching at all.
User Rank: Apprentice
11/18/2013 | 2:56:00 PM
If you didn't realize vbulletin is insecure, you weren't paying attention
VBulletin sends out something like a patch a week due to security problems.  Anyone still running vbulletin--after, say, 2008--is either asleep at the wheel or decided that the inevitability of being hacked through vbulletin was a reasonable risk.

Seriously--vbulletin, joomla, and a host of other popular PHP "applications" are so large and full of security holes that they're essentially impossible to secure.  No one with a serious business should be using any of them.
User Rank: Apprentice
11/18/2013 | 12:41:21 PM
Big-name brands
Considering the big-name brands that have built their forums using vBulletins, if I were any of those organizations I'd be pretty worried right now.

The question, of course, is what kind of data is stored in those forums. Pearl Jam (the band) sells tickets and merchandise through its website, but does that information touch the vBulletin forum porition of their site? What about Sony Pictures or EA?

According to the vBulletin site, NASA even uses its software for their forums.

I hope all the companies that use this service are monitoring closely and checking for exploits.
User Rank: Ninja
11/18/2013 | 12:29:45 PM
I'm not as worried by this now as I would have been a few years ago. It's been a while since I used a forum regularly. Now it's more common threads like this and social networks. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.