The Inquirer-Home

Hacking of forum software firm vBulletin spawns host of zero-day attacks

Led to hacking of Macrumours and Ubuntu forums
Mon Nov 18 2013, 12:07
First Shellshock malware emerges

FORUM SOFTWARE MAKER vBulletin has been compromised, leading to the theft of customer password data that has raised concerns that there is a critical vulnerability threatening websites running the program.

vBulletin, a proprietary internet forum software package that runs the forums for popular websites such as Macrumors and Ubuntu, announced in a blog post on Friday that its security team discovered sophisticated attacks on its network involving illegal access to forum user information.

"Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password," vBulletin Technical Support lead Wayne Luke wrote.

The acknowledgement arrived just a few days after Macrumours admitted that a security breach had led to the exposure of hashed passwords for over 860,000 users. At the time, Macrumors editorial director Arnold Kim wrote in a short advisory that the attack resembled the attack on Ubuntu user forums in July.

Suspicions were realised when members of hacker team Inj3ct0r published a Facebook post claiming that they were responsible for the attacks on both vBulletin and Macrumours.

The Inj3ct0r Team members said they breached the vBulletin website by exploiting a previously undocumented vulnerability in the vBulletin software. They then used this privileged access to obtain login credentials for the Macrumors moderator account. After logging in to the account, they stole the password hashes for 860,106 Macrumors accounts.

"Inj3ct0r Team hacked and Inj3ct0r Team hacked the big CMS vendor We got shell, database and root server," the post read.

"We wanted to prove that nothing in this world is not safe. We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x. We've got upload shell in vBulletin server, download database and got root."

vBulletin has yet to respond to our request for comment regarding the claimed zero-day attack on its network.

However, once word got out that there might be a critical vulnerability in the forum software, user forums for the Defcon hacker conference were temporarily shut on Sunday evening. The forum's landing page now reads, "We have disabled the forums until there is resolution on a possible vulnerability. Once we have a fix/patch installed, we'll re-open service."

The Inj3ct0r Facebook post gives the option for forum owners to buy a patch to fix the vulnerability they exploited, with a link that directs them to the team's website for "7000 gold", a currency that we can only imagine derives from the underground. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015