vBulletin.com hacked, hackers trying to sell info on 0-day used
The developers of popular Internet forum software vBulletin have announced late on Friday that their network has been attacked and successfully breached, and that the hackers involved have accessed customer IDs and encrypted passwords on their systems.
The company has reacted by immediately resetting all users’ passwords and is asking them to choose a new, more complex one that they won’t be using on other sites, but haven’t shared more details about how the hack came to pass.
But another group has. Hacker group Inj3ct0r Team has claimed responsibility for the hack on their Facebook page, and they have also professed to be the ones who breached MacRumors forums and have likely made off with the database containing the passwords of its registered 860,000 users.
MacRumors site owner Arnold Kim said that the approach used by the attackers was the same one used to compromise the Ubuntu forums back in July: they managed to get their hands on the account credentials of a forum moderator, and were able to escalate their privileges in order to access the password database.
It has yet to be confirmed how they managed to get the moderator’s account credentials in the first place, but if Inj3ct0r Team’s claims are to be believed, they took advantage of an zero-day critical vulnerability affecting versions 4.x.x and 5.х.x of vBulletin.
“We’ve got upload shell in vBulletin server, download database and got root,” they wrote. “We wanted to prove that nothing in this world is not safe.”
Apparently, the same vulnerability has been used to breach MacRumors. The Ubuntu forums also ran on vBulletin.
The existence of such a vulnerability is still unconfirmed by the company, but you can be sure that they are working furiously to discover it (if there is one).
The hacker team is apparently openly selling information about and possibly the patch for the vulnerability in question.
In the meantime, there are apparently some that believe Inj3ct0r Team’s claims – or, at least, are not willing to endanger their users. Defcon forums have been disabled pending the resolution of the vulnerability, and will be back when a patch is out and is installed.
UPDATE:
Wayne Luke, vBulletin Technical Support Lead, has announced that they have analysed the evidence provided by the Inject0r Team, and that they do not believe that the hackers have uncovered a 0-day vulnerability in vBulletin.
“These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software,” he concluded.