Are all recent versions of the vBulletin online forum software vulnerable to a zero-day exploit that would give attackers full access to the targeted system?
That's the claim being made by European hacking group "Inj3ct0r Team," which Thursday took to Facebook to take credit for recently hacking, not only Macrumors.com, but also vBulletin.com, both of which run on vBulletin's forum software.
That claim led to vBulletin Friday issuing a hacking alert to its customers. Said Wayne Luke, vBulletin's technical support lead, in the security alert:
Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.
[ "Stop worrying," says MacRumors hacker known as Lol. Read more at MacRumors Hacker Promises Stolen Passwords Are Safe. ]
News of the vBulletin exploit led numerous organizations to take their forums offline, pending more information and a patch. "We have disabled the forums until there is resolution on a possible vulnerability," read the notice on the Def Con hacking conference forums.
As yet, vBulletin hasn't released a patch or provided further information about how attackers might have gained access to its system.
But Inj3ct0r Team Thursday claimed to have discovered a "0day exploit" for vBulletin's forum software. "We found a critical vulnerability in vBulletin all versions 4.x.x and 5.õ.x," read the group's Facebook post. "We've got upload shell in vBulletin server, [downloaded] database and got root." In other words, the group claimed to have obtained direct access to vBulletin's server and downloaded a user database, which it cracked offline, thus revealing the login details for an administrator account with root-level access, which would have given attackers full access to all information being stored on vBulletin.com.
If Inj3ct0r Team's claims are accurate, part of the blame for the attack must be placed on vBulletin, because its forum software stores passwords using the MD5 cryptographic algorithm. Security experts regard MD5 as unfit for securing passwords -- no matter how it might be used -- because it's so easy to crack via offline attacks.
Likewise, two-factor authentication might have prevented vBulletin's data breach by requiring anyone who wanted to access an administrator account to provide a second factor, provided, for example, via a Google Authenticator code or a one-time code texted to a preset mobile phone number. But numerous online discussion threads suggest that vBulletin's software doesn't currently allow for two-factor authentication. In addition, the company declined to respond to an emailed request for comment, sent Thursday, about whether two-factor authentication could be added to its forum software and, if not, when the company might make this feature available.
In the case of the Apple enthusiast site MacRumors.com, which was hacked Monday, the attackers -- again Inj3ct0r Team -- obtained 860,000 usernames, email addresses, and encrypted credentials. But in a series of posts to the MacRumors.com forums, one of the attackers promised not to leak the data or harm people "unless we target you specifically for some unrelated reason."
What was the attackers' impetus for hacking those two sites? Money is the most likely explanation, since Inj3ct0r Team's Thursday hacking boast included -- for "all those wishing to buy a vulnerability and patch your forum" -- a link to purchase the "vBulletin v4.x.x and 5.õ.x Shell Upload / Remote Code Execute (0day)" via the Inj3ct0r website, which describes itself as "the ultimate database of exploits and vulnerabilities."
Since the author of the vBulletin website is listed as being "1337Day Team" -- 1337 is hacker-speak for "elite" -- and the site accepts payment in the form of "1337Day Gold" (one piece of gold equals one dollar), it appears that the Inj3ct0r site is run by the same group that discovered the zero-day vBulletin bug, which is priced at $7,000.
Update: A spokesman for Internet Brands -- the parent company of vBulletin -- emailed Monday to say the company had dismissed Inj3ct0r Team's claimed discovery of a zero-day vulnerability in the company's online forum software. "Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin," read a related blog post from vBulletin's Luke, which was released after the above story ran. "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software."
Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. The The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make it work for your enterprise. (Free registration required.)