Password hack of vBulletin.com

davej

Looks like vbulletin has been compromised..

vBulletin itself has been hacked along with a number of its customer's forums

To summarize, then: The Inject0r Team members claimed they breached vBulletin.com by exploiting a previously undocumented vulnerability in the vBulletin software. They then went on to use their privileged access to obtain login credentials for the MacRumors moderator account. After logging in to the account, they then made off with the password hashes for 860,106 MacRumors accounts.

"We got shell , database and root server," the Inject0r Team Facebook post claimed. "We wanted to prove that nothing in this world is not safe. We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x."

http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/

davej

camel jockey

davej wrote: »

We wanted to prove that nothing in this world is not safe

:eek:

Khannie

I know another way of proving that something isn't safe - filing a bug. It's awesome!

860K hashes. I'll be interested to see what comes of those. Presume they're salted. I must admit that I always find password leaks fascinating because it gives an opportunity to see what kinds of passwords people use.

davej

I guess the fact that boards.ie runs on vBulletin is slightly worrying.

I must admit that I always find password leaks fascinating because it gives an opportunity to see what kinds of passwords people use.

This 860K password list is of course dwarfed by the Adobe hack: 130 million now in the public domain.

This site has produced a list of the 100 most popular Adobe passwords. Nearly 2 million accounts had the password "123456" :eek:

# Count Ciphertext Plaintext

---

1. 1911938 EQ7fIpT7i/Q= 123456
2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789
3. 345834 L8qbAD3jl3jioxG6CatHBw== password
4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123
5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678
6. 130832 5djv7ZCI2ws= qwerty
7. 124253 dQi0asWPYvQ= 1234567
8. 113884 7LqYzKVeq8I= 111111
9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop
10. 82694 e6MPXQ5G6a8= 123123
11. 76910 j9p+HwtWWT8/HeZN+3oiCQ== 1234567890
12. 76186 diQ+ie23vAA= 000000
13. 70791 kCcUSCmonEA= abc123
14. 61453 ukxzEcXU6Pw= 1234
15. 56744 5wEAInH22i4= adobe1
16. 54651 WqflwJFYW3+PszVFZo1Ggg== macromedia
17. 48850 hjAYsdUA4+k= azerty
18. 47142 rpkvF+oZzQvioxG6CatHBw== iloveyou
19. 44281 xz6PIeGzr6g= aaaaaa
20. 43670 Ypsmk6AXQTk= 654321

davej

Khannie

davej wrote: »

I guess the fact that boards.ie runs on vBulletin is slightly worrying.

I think it was forked a long, long time ago.

irokie

Khannie wrote: »

I think it was forked a long, long time ago.

Doesn't mean that any vulernability that may or may not be in the code-base isn't present in the boards.ie codebase. From the Ars article:

Inject0r wrote:

"We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x."

Would need a comment from vBulletin and then a comment from the Boards admins to be sure.

28064212

irokie wrote: »

"We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x."

Would need a comment from vBulletin and then a comment from the Boards admins to be sure.

Not quite, assuming Inject0r's statement is accurate. The last version of vBulletin that Boards used was 3.8.6

Khannie

irokie wrote: »

Would need a comment from vBulletin and then a comment from the Boards admins to be sure.

I alerted the admins to alert the devs, just in case.

ChRoMe

28064212 wrote: »

Not quite, assuming Inject0r's statement is accurate. The last version of vBulletin that Boards used was 3.8.6

Thats arguably worse.

p to the e

From the arstechnica article above. Is this overkill for boards?

Readers who operate websites that run on versions 4 or 5 of vBulletin should consider following Defcon's example and disabling their user forums—at least until vBulletin officials provide assurances there are no known vulnerabilities in their software and offer an explanation of the attack that hit their site.

28064212

p to the e wrote: »

From the arstechnica article above. Is this overkill for boards?

Readers who operate websites that run on versions 4 or 5 of vBulletin

=> Doesn't apply to Boards, which runs (a heavily modified) vBulletin 3.8.6

Hotblack Desiato

Khannie wrote: »

I think it was forked a long, long time ago.

That code was forked a long, a long long time ago.
Who knows? Not me.
We never lost control.
You're face to face
With the man who forked the code.