Welcome to WebmasterWorld Guest from 18.206.168.65

Forum Moderators: rogerd

Message Too Old, No Replies

vBulletin password hack raises fears of web-wide zero day attacks

     
11:21 pm on Nov 4, 2015 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:12236
votes: 364


vBulletin password hack fuels fears of serious Internet-wide 0-day attacks
Software maker issued security patch hours after reports surfaced it was breached.
by Dan Goodin - Nov 3, 2015

[arstechnica.com...]

...it's hard to escape the inference that the vBulletin software contained a zero-day vulnerability that allowed hackers in the wild to gain almost complete control over websites that used the forum app. If so, administrators for any site that uses vBulletin should drop whatever they're doing and immediately install Monday's patch....

Note there's also a WebmasterWorld Supporters discussion about the hack here...

VBulletin.com / VBulletin.org hacked
https://www.webmasterworld.com/wall/4775860.htm [webmasterworld.com]
2:03 pm on Nov 5, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3548
votes: 328


i read the article, but aren't very knowledgeable in this area, and don't understand why this would cause so much concern. This is because most forum sign-ups don't require you to give any important personal information. Usually all that's required for sign-up is an email address and a password.

So the only risk that I can see is that someone who got your sign-up information could log in and post false messages under your moniker, and this doesn't seem very worrisome to me.

So what am I missing that makes this such a major concern?
2:26 pm on Nov 5, 2015 (gmt 0)

Preferred Member

5+ Year Member

joined:Mar 22, 2011
posts:447
votes: 6


Yeah, I'm not seeing it as such a big deal.

They are forcing password resets anyway. Your customer number is generated by them. So the only real risk is that they get a password and email and blast it all over the net to signup. Don't use the same UN and password everywhere and you're good.
2:41 pm on Nov 5, 2015 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4204
votes: 265


The Administrators' passwords were in there too, major alterations can be made to a site with those keys.
3:16 pm on Nov 5, 2015 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:Mar 10, 2004
posts: 463
votes: 50


The same server housed client accounts, not only forum accounts. It is a big deal.

The same server housed forgotten password security questions, a big deal.

The same database contained forum client information which could be used for social engineering hacks: location and birthdays.

VBulletin failed to notify clients for 5 days. A big deal.

VBulletin was notified of the exploit by Checkpoint software a month earlier, and failed to patch the product until after the exploit was used to compromise their own servers. Not taking reports of a serious exploit and addressing them immediately, a big deal.

And as of yesterday, continuing to use a 2 year old version of JIRA with known exploits rather than upgrading. A big deal.
6:32 pm on Nov 5, 2015 (gmt 0)

Full Member

10+ Year Member

joined:Mar 23, 2001
posts:250
votes: 2


Vbulletin is as dead as it can be. After many years with them I recently started looking into an alternative and hopefully within a year will be switching.
7:08 pm on Nov 5, 2015 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:Mar 10, 2004
posts: 463
votes: 50


Agree. I have several XF forums, and held on to 3 VB 4.x forums.... until now. This was the nail in the coffin, and the remaining forums are scheduled for XF migration.
12:28 am on Nov 6, 2015 (gmt 0)

Senior Member from HK 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 14, 2002
posts:2301
votes: 19


"After many years with them I recently started looking into an alternative and hopefully within a year will be switching."

I was one of the first 10 customers to buy into vBulletin in the early days, moving from UBB (a perl based flat file forum - no DB, statically generated html pages).

Given the lack of support for mobile - you're essentially hostage to Tapatalk or their own clients, and modernisation of the interfaces (programatic / UI-UX) I've also started plotting my exit. This time around, we're building our own solution which will be mobile first (an app with a desktop client) forcing us to think APIs, performance and reactivity.

Not sure if XF is the solution either - for me the closest were NodeBB and Flarum. But both of these are rather immature platforms which are ok as forums, but not there yet for communities (think classifieds, event calendars, groups, resource listings) AND lack comprehensive app support.
6:43 am on Nov 6, 2015 (gmt 0)

Full Member

10+ Year Member

joined:June 28, 2000
posts: 280
votes: 0


For those evaluating forum software providers, I can also recommend UBBForum by SocialStrata. They also have a product called Hoop.la that incorporates forums, blogs, chats, surveys and more. Both Hoop.la and UBBForum products will be Responsive with their new software update come Nov/Dec 2015.

I've been a user of their software and very much like their offering. One thing to note: their Customer Support is phenomenal. Their support forums are active and they respond to questions / comments / problems extremely fast.

I would seriously consider this company in your evaluation. Please note: I make this recommendation simply as a customer. I don't work for them or get paid for referrals in any way.
2:28 pm on Nov 6, 2015 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:Mar 10, 2004
posts: 463
votes: 50


I'm moving everything I have left on other platforms to Xenforo because it's fully responsive, works great on mobile, extremely active add-on developer community, and in most cases not only can you import the data from other systems (which most BBs can do), but also do so without users having to reset passwords. As a coder myself, the active developer community was a huge plus.