November 18, 2013
Zero-Day Hackers Take Claim For vBulletin, MacRumors Breach
Peter Suciu for redOrbit.com - Your Universe Online
Last Friday vBulletin Solutions, the creators of vBulletin software, announced they had reset the passwords for all accounts on the vBulletin support forums. This came after confirmation that hackers had broken into the systems and compromised customer log-in information. This reportedly included not only the vBulletin.com forums but also those of MacRumors.com.
On Thursday, Inj3ct0r Exploit Database’s Facebook page reported it had hacked into those forums. On its public Facebook page it noted, “Inj3ct0r Team hacked vBulletin.com and Macrumors.com. Inj3ct0r Team hacked the big CMS vendor vBulletin.com. We got shell , database and root server. We wanted to prove that nothing in this world is not safe. We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x. We’ve got upload shell in vBulletin server, download database and got root.”
“We take your security and privacy very seriously,” Wayne Luke, vBulletin technical support lead, wrote in a forum post on Friday. “Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”
Luke also advised users to choose a new password for vBulletin, as well as passwords for other sites.
The attack was confirmed on MacRumors, where owner Arnold Kim posted, “The MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July.”
This attack was so severe numerous organizations opted to take their forums offline, and waited for a patch. As of press time on Monday, no patch had been issued, and except for the statement by Luke, no further information about the attack was released. Other than the Inj3ct0r Team’s posting that it had claimed to have a zero-day exploit for all of the forum’s software, it remains unclear how the attackers may have gained access to its systems.
Information Week noted security researchers have already called out vBulletin for allowing the hacks to occur. This is because vBulletin may have relied on MD5 cryptographic algorithm, which experts have claimed is unfit for securing passwords – in part because it is easy to exploit.
“Two-factor authentication might have prevented vBulletin’s data breach by requiring anyone who wanted to access an administrator account to provide a second factor, provided, for example, via a Google Authenticator code or a one-time code texted to a preset mobile phone number,” wrote Mathew J. Schwartz for Information Week. “But numerous online discussion threads suggest that vBulletin’s software doesn’t currently allow for two-factor authentication.”
However, the plot thickened late last week when one of the apparent culprits said to stop blaming the hack on “outdated vBulletin sofware.”
Instead, via the MacRumors forum, the hacker noted, “First of all, regarding the passwords. As far as I’m aware, the older versions of vbulletin and the current all share the same hashing algorithm. 860106 users were dumped. Out of those, 488429 of them still had a salt which had a length of 3 bits.”
The hacker added, “We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.
“That concludes it. Consider the ‘malicious’ attack friendly,” the hacker also posted. “The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.”
It is very doubtful this is the conclusion, and might only be the beginning, especially as there are reports several individuals may be looking to sell zero-day exploits in vBulletin 4.x and 5.x. One report claimed that a copy of the exploit was offered for $7,000 with accepted payments in Bitcoin and WebMoney, while since that time other offers to sell the exploits have been as low as $200 in Bitcoins.