Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

vBulletin.com Hacked, Customer Data Stolen

"Inj3ct0r Team" hackers claim they employed vBulletin zero-day bug to take down both vBulletin.com and MacRumors, offer to sell related exploit.

Are all recent versions of the vBulletin online forum software vulnerable to a zero-day exploit that would give attackers full access to the targeted system?

That's the claim being made by European hacking group "Inj3ct0r Team," which Thursday took to Facebook to take credit for recently hacking, not only Macrumors.com, but also vBulletin.com, both of which run on vBulletin's forum software.

That claim led to vBulletin Friday issuing a hacking alert to its customers. Said Wayne Luke, vBulletin's technical support lead, in the security alert:

Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

[ "Stop worrying," says MacRumors hacker known as Lol. Read more at MacRumors Hacker Promises Stolen Passwords Are Safe. ]

News of the vBulletin exploit led numerous organizations to take their forums offline, pending more information and a patch. "We have disabled the forums until there is resolution on a possible vulnerability," read the notice on the Def Con hacking conference forums.

As yet, vBulletin hasn't released a patch or provided further information about how attackers might have gained access to its system.

But Inj3ct0r Team Thursday claimed to have discovered a "0day exploit" for vBulletin's forum software. "We found a critical vulnerability in vBulletin all versions 4.x.x and 5.õ.x," read the group's Facebook post. "We've got upload shell in vBulletin server, [downloaded] database and got root." In other words, the group claimed to have obtained direct access to vBulletin's server and downloaded a user database, which it cracked offline, thus revealing the login details for an administrator account with root-level access, which would have given attackers full access to all information being stored on vBulletin.com.

If Inj3ct0r Team's claims are accurate, part of the blame for the attack must be placed on vBulletin, because its forum software stores passwords using the MD5 cryptographic algorithm. Security experts regard MD5 as unfit for securing passwords -- no matter how it might be used -- because it's so easy to crack via offline attacks.

Likewise, two-factor authentication might have prevented vBulletin's data breach by requiring anyone who wanted to access an administrator account to provide a second factor, provided, for example, via a Google Authenticator code or a one-time code texted to a preset mobile phone number. But numerous online discussion threads suggest that vBulletin's software doesn't currently allow for two-factor authentication. In addition, the company declined to respond to an emailed request for comment, sent Thursday, about whether two-factor authentication could be added to its forum software and, if not, when the company might make this feature available.

In the case of the Apple enthusiast site MacRumors.com, which was hacked Monday, the attackers -- again Inj3ct0r Team -- obtained 860,000 usernames, email addresses, and encrypted credentials. But in a series of posts to the MacRumors.com forums, one of the attackers promised not to leak the data or harm people "unless we target you specifically for some unrelated reason."

What was the attackers' impetus for hacking those two sites? Money is the most likely explanation, since Inj3ct0r Team's Thursday hacking boast included -- for "all those wishing to buy a vulnerability and patch your forum" -- a link to purchase the "vBulletin v4.x.x and 5.õ.x Shell Upload / Remote Code Execute (0day)" via the Inj3ct0r website, which describes itself as "the ultimate database of exploits and vulnerabilities."

Since the author of the vBulletin website is listed as being "1337Day Team" -- 1337 is hacker-speak for "elite" -- and the site accepts payment in the form of "1337Day Gold" (one piece of gold equals one dollar), it appears that the Inj3ct0r site is run by the same group that discovered the zero-day vBulletin bug, which is priced at $7,000.

Update: A spokesman for Internet Brands -- the parent company of vBulletin -- emailed Monday to say the company had dismissed Inj3ct0r Team's claimed discovery of a zero-day vulnerability in the company's online forum software. "Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin," read a related blog post from vBulletin's Luke, which was released after the above story ran. "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software."

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. The The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make it work for your enterprise. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bonmon
50%
50%
bonmon,
User Rank: Apprentice
7/18/2016 | 7:26:03 AM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
As he sees no one is safe.
samicksha
50%
50%
samicksha,
User Rank: Apprentice
11/19/2013 | 3:36:20 AM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I read about vBulletin breach prompts password reset, I am suprised how come attackers managed using a zero-day flaw that is now being sold in several places online, I guess cross site scripting can be intervened into most forum site.
Ariella
50%
50%
Ariella,
User Rank: Apprentice
11/18/2013 | 5:44:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
@jemison288 I know exactly what you mean. It's like having a car with a good warranty that frequently needs repairs that are covered. On the one hand, it's good that the dealer fixes everything, but, on the other hand, you'd really prefer to be spared the inconvenience of things breaking on it in the first place.
jemison288
100%
0%
jemison288,
User Rank: Apprentice
11/18/2013 | 3:40:39 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
I don't know if I agree with that.  It's like saying, "I know it breaks a lot, but they have great customer support!"  Screw that, I'd rather have something that never breaks with crappy customer support--I won't need it.  (Early days of AWS were basically like that).
kjhiggins
100%
0%
kjhiggins,
User Rank: Strategist
11/18/2013 | 3:34:31 PM
Re: If you didn't realize vbulletin is insecure, you weren't paying attention
Not to downplay this breach, but your point about vBulletin patching almost weekly is actually relativley promising. Patching regularly is better than not patching at all.
jemison288
100%
0%
jemison288,
User Rank: Apprentice
11/18/2013 | 2:56:00 PM
If you didn't realize vbulletin is insecure, you weren't paying attention
VBulletin sends out something like a patch a week due to security problems.  Anyone still running vbulletin--after, say, 2008--is either asleep at the wheel or decided that the inevitability of being hacked through vbulletin was a reasonable risk.

Seriously--vbulletin, joomla, and a host of other popular PHP "applications" are so large and full of security holes that they're essentially impossible to secure.  No one with a serious business should be using any of them.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Apprentice
11/18/2013 | 12:41:21 PM
Big-name brands
Considering the big-name brands that have built their forums using vBulletins, if I were any of those organizations I'd be pretty worried right now.

The question, of course, is what kind of data is stored in those forums. Pearl Jam (the band) sells tickets and merchandise through its website, but does that information touch the vBulletin forum porition of their site? What about Sony Pictures or EA?

According to the vBulletin site, NASA even uses its software for their forums.

I hope all the companies that use this service are monitoring closely and checking for exploits.
Whoopty
0%
100%
Whoopty,
User Rank: Ninja
11/18/2013 | 12:29:45 PM
Phew
I'm not as worried by this now as I would have been a few years ago. It's been a while since I used a forum regularly. Now it's more common threads like this and social networks. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4396
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4410
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539.
CVE-2020-4459
PUBLISHED: 2020-08-04
IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 181395.
CVE-2020-4525
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4542
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 1...