Forums › Life › Computers, Gadgets & Technology › Forum, Blog & Community Software › vBulletin.com has been hacked and passwords stolen
An interview with the claimed authors of the hack on macrumours.com and vBulletin.com by Arstechnica…
The group that hacked MacRumors Forums and made off with password data for more than 860,000 users has no plans to use it to mass compromise the accounts of people who use the same login credentials on other sites.
The pledge was made in this post by a user who supplied confidential password details that weren’t publicly available. Among other things, that information included partial cryptographic hash corresponding to the password of MacRumors Editorial Director Arnold Kim, as well as the cryptographic salt used to increase the time required to crack it. Kim told Ars that those and other confidential details included in the post were “legit.” The user went on to defend the hack as a benign undertaking designed to sharpen the skills of both the hacker and the MacRumors administrators.
“We’re not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason),” the user known simply as Lol wrote. “We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”
He continued: “Consider the ‘malicious’ attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.”
In subsequent posts here and here, Lol expanded on the thinking behind the hack. “Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé.” The MacRumors breach, Lol added, was taken on “to test myself. I never defaced the site, I never bragged about it anywhere, I just got in and got out.”
Lol went on to counter speculation that the hack was the result of exploiting one or more vulnerabilities in VBulletin, the open-source fee-based software that powered the MacRumors forums.
“The fault lied [sic] within a single moderator,” the post stated. “All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about.”
Lol confirmed that the MacRumors password hashes totaled 860,106. Interestingly, more than half of them contained a cryptographic salt that had a length of just three “bits,” although I’m guessing Lol really meant “bytes,” which would mean each one contained just three characters.
Salts are pseudo-random strings that are appended to the plain text of passwords before they are run through a one-way hash function. Salting is designed to increase the time it takes to crack large numbers of hashes by requiring the attacker to make guesses against each hash individually instead of all at once. (Salting also prevents cracking through the use of rainbow tables, although in the age of video cards and efficient dictionary attacks made possible by Hashcat and other free cracking programs, few people use that method anymore.) To be truly effective, salts must be unique for every hash, something that generally isn’t possible with a three-byte salt.
“Anyone that’d been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work [to] do, it’s like to have many with a 3 bit salt),” Lol wrote. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts and get results.”
While the confidential details included in the post proves the writer has insider knowledge into the hack, readers are advised to maintain a healthy skepticism of all remaining claims. For instance, counter to Lol’s claims, there’s no way right now to be sure the hack wasn’t executed by exploiting a VBulletin vulnerability. And of course, MacRumors account holders shouldn’t take the word of an admitted trespasser that their accounts on other sites won’t be accessed.
I hate how companies let people sit and wait for info when possible security risks are at hand. I remember a website run by Electronic arts was hacked to pieces and wouldn’t give us any info as to weather our bank details had been compromised.
Anyway, all seems well for now.
I’ve updated several of the posts above in light of current information about the hacking of vBulletin.com.
Last update from arn at MR;
The vBulletin attack seems to have been from October-ish, according to some posts (above). And not known about until now.
We do believe that our moderator account had a password taken from vBulletin.org and that was used to access MacRumors.
Given the lag time between October and now, it’s very possible that many other forums have been hacked and simply don’t know it yet. In fact, one of the files used in the MacRumors hack was hosted on another legitimate looking site, so we suspect they have been hacked as well. I contacted them, notifying them, but haven’t heard back.
arn
The following official annoucement has appeared on vBulletin.org: “Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” vBulletin Technical Support Lead Wayne Luke wrote in a post published Friday evening. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password.”
Thanks Sinner, I hadn’t see this update.
@!sinner69! 558493 wrote:
Last update from arn at MR;
In a new development Arstechnica have posted an article on the hack. The piece concludes by suggesting all forums running vBulletin 4 or vBulletin 5 should consider shutting their doors until word of this claimed vulnerability is officially confirmed or denied. However I have to say that I find the suggestion a little extreme given the number of forums concerned. I’m also skeptical as to whether closing a forum would stop hackers if there really is a vulnerability. Still more official information from Internet Brands would be helpful..
Readers who operate websites that run on versions 4 or 5 of vBulletin should consider following Defcon’s example and disabling their user forums—at least until vBulletin officials provide assurances there are no known vulnerabilities in their software and offer an explanation of the attack that hit their site. To be clear, there is no confirmation of the claim hackers have a reliable exploit for a critical vulnerability in fully patched versions of the software. That said, the events of the past five days give good reason for concern. This article will be updated if vBulletin officials break their silence and provide much-needed guidance about their software.
Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks | Ars Technica
Some useful suggestions for improving server and forum security:
Server Security
Disable external logins to your ‘root’ account. They can’t break in if they don’t know your username!
Install denyhosts or fail2ban on your server to prevent brute-force attempts.
Employ the use of two-factor authentication (Duo Security, or Google Authenticator).
Route your site through CloudFlare to make your server IP harder to find.
Ensure that Apache/Nginx/PHP and other web services run on a non-root user, so that any uploads may not compromise your entire server.
Make sure that MySQL can only be accessed by localhost – maintenance can be done via SSH tunnel or phpMyAdmin
Forum Security
Give your administrators only what they absolutely need – nothing more. Limit the management of plugins and templates only to those who absolutely need it.
Give your moderators only what they need. There is far less opportunity for abuse here, but regardless, do check what your moderators can access.
Demote the accounts of any inactive staff. The more stray elevated accounts hanging around, the more opportunity for a hacker to get in if any of them were using a weak password or had their email compromised.
Put some kind of policy in place for your staff to change their passwords on a regular basis.
If you want to get really technical, you could implement two-factor authentication for your forum accounts. Personally, I’d only want to implement this for moderators.
Some more information on the macrumours.com hack from Kerbsonsecurity:
That same day, I reached out to both vBulletin and Macrumors. I heard immediately from MacRumors owner Arnold Kim, who pointed my attention to a story the publication put up last Monday acknowledging a breach. Kim said MacRumors actually runs version 3.x of vBulletin, and that the hackers appear to have broken in using a clever cross-site-scripting attack.
“In VB3, moderators can post ‘announcements’ in the forum, and by default announcements allow HTML,” Kim explained. “The hacker or hackers were able to somehow get a moderator’s login password, and used that to embed Javascript in an announcement and waited for an administrator to load that page. Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts.”
Kim said the attackers in that case even came on the Macrumors forum and posted a blow-by-blow of the attack, confirming that the cause of the breach was a compromised moderator account. Kim said the person who left the comment was using the same Internet address as the attacker who hacked his forum, and that the moderator account that got compromised on MacRumors also had an account with the same name and password on vBulletin.com.
“Stop [blaming] this on the ‘outdated vBulletin software’,” the apparent culprit wrote. ” The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about. 3.x is far more secure than the latter. Just because it’s older, it doesn’t mean it’s any worse.”
My recommendation: Disable HTML in posts and Announcements immediately across the board (no pun!).
An officialstatement from Internet Brands on whether a new zero day exploit exists as claimed by the hackers:
Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin.
These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software.
Regards,
Wayne Luke.
An additional statement from Internet Brands on the security breach of vBulletin.com:
Here is some updated information on our recent security issue that I have been asked to pass on to you.
The following is an update regarding the previously reported attack on vBulletin.com and vBulletin.org. The assessment of the attack has been completed and we wish to assure the community of vBulletin site operators and users that such attacks were not due to any inherent security vulnerability in the vBulletin software, including any zero-day vulnerability.
Based on our assessment, the attack was conducted by malicious hackers leveraging log-on data for servers on vBulletin.com and vBulletin.org to unlawfully gain access to user tables. No other vBulletin.com web servers were impacted.
Following discovery of the attack, all administrative and user passwords on vBulletin.com and vBulletin.org were changed. In addition, vBulletin.com and vBulletin.org users were notified of the attack and the need to change their passwords.
We take security matters very seriously and will continue to monitor our servers.
Any forum owners who may want to disable HTML in forum posts but would rather not have to go through each sub-forum individually can use the following SQL query to disable them for all sub-forums simultaneously…
– IF you have a table prefix
– Change PREFIX to your table prefix.
These queries should work equally well for any forums running vBulletin 3.x or vBulletin 4.x. vBulletin 5 doesn’t allow the setting to be changed globally however that version has a per usergroup setting. Which is off by default.
0
Voices
25
Replies
Tags
This topic has no tags
Forums › Life › Computers, Gadgets & Technology › Forum, Blog & Community Software › vBulletin.com has been hacked and passwords stolen