Attack on vBulletin board password stokes concerns of wide-ranging zero-day hacks

Software vendor rushes out security patch hours after breach of infrastructure

Vbulletin hack will have widespread implications
Vbulletin hack will have widespread implications

A security patch has been hastily issued for the Vbulletin board forum software, after a hack on the developer's website leaked sensitive password data and other information on nearly half a million subscribers.

The firm has put in place a mandatory password reset for all users following the discovery that its infrastructure had been breached.

" Very recently, our security team discovered a sophisticated attack on our network. Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems," the firm said. "We have taken the precaution of resetting your account password. We apologise for any inconvenience this has caused but felt that it was necessary to help protect your account."

It said that users should select a password they don't use elsewhere.

In a separate post, the firm referred to a security patch for versions 5.1.4 through 5.1.9 of the vBulletin Connect software.

This was in response to a hacker called "Coldzer0" who boasted about their alleged exploits on various websites. The hacker has also uploaded a video to YouTube and posted data on Facebook. Both of these uploads have since been deleted.

In a post co-authored with @Cyber_War_News, the hacker also claimed to have breached Foxit Software forums, using the same vulnerability. With the breach, the hacker said they had obtained 260,000 of Foxit's 537,000 user accounts and questioned why their hacking attempts had not been detected.

Coldzer0 is believed to have collected personal data belonging to some 479,895 users from the two attacks. The data taken included user ids, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords.

There is little detail as to how the hack took place at present other than the hacker taking advantage of a zero-day exploit. According to a report by Ars Technica, a similar breach occurred, which vBulletin said was down to an insecure system used for testing vBulletin mobile applications, and not a zero-day vulnerability.

Jonathan Sander, vice president of Product Strategy at Lieberman Software, told SCMagazineUK.com that the hack of a bulletin board is useful to hackers as the usernames and passwords people use for one site, even a bulletin board, may be the same they use for their bank, their credit cards or their Apple ID.

“With that I can steal money, clone their credit cards, or pirate tons of movies for free. Since vBulletin was widely used even by boards that are considered secure like the boards over at the Defcon.org security focused forums, this may be an opportunity for bad guys to get things they would not normally get from careful people,” he said.

“There's also an element of reputation. Many exploits are more like graffiti than breaking and entering. This may be someone making a reputation, and we see someone taking very public credit for it."

He added that the people most likely to be affected by the hack would be the site admins “who will be sucking down caffeine as they patch, retool, and attempt to mitigate any damage caused by this. The effects on the users who had their details stolen will be a long tail that will dribble out over time."

Sander said that for organisations concerned about how the hack might affect them would be to take stock of things.

“Are you using vBulletin? Are you sure you're not? You had better be,” he warned. “Only once you know where and if you are affected can you do anything else. Right now even the security experts over at Defcon.org who were using vBulletin have opted to simply shut down the affected sites and wait to see what happens."

Tod Beardsley, security research manager at Rapid7, told SC that it appeared that the attack was due to a SQL injection bug in vBulletin's forum software.

“A patch has been released, and while it appears to resolve the issue that led to the vBulletin Solutions compromise, the company has not yet issued a statement that ties the attack and the patch together. Hopefully, vBulletin Solutions' response to the incident will provide more detail for their customers, sooner rather than later,” he said.

Beardsley added that organisations that rely on vBulletin to power their community forums should apply this patch immediately.

“vBulletin is a popular target, since compromising a forum site can provide an effective platform for a watering hole attack. In a watering hole attack, customers of a particular company, or users that share a common interest, can be effectively targeted via the trusted, but now compromised, website. vBulletin itself is a popular community and forum platform, so an unpatched bug in the platform can expose those downstream users to serious risk,” he said.

Sign up to our newsletters