vBulletin Zero Day Used to Attack Popular Forums

A hacker group known as Inj3ct0r claims responsibility for attacks on vBulletin and MacRumors, adding they used a zero day in the popular vBulletin forum software to attack the sites.

A hacker group calling itself Inj3ct0r is taking responsibility for the compromise of more than 860,000 passwords at MacRumors.com as well as a separate attack on vBulletin.com, makers of the vBulletin software powering a number of high-profile forums including MacRumors and Ubuntu Forums.

The Inj3ct0r Team posted on its Facebook page that it had attacked the three sites and found a critical zero-day vulnerability on all versions of vBulletin 4.x.x and 5.x.x.

“We’ve got upload shell in vBulletin server, download database and got root,” the post says.

Vbulletin technical support lead Wayne Luke reported the breach late last week in an advisory, urging vBulletin users to change their passwords as well.

“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” Luke wrote. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password.”

In the meantime, Black Hat and DEF CON founder Jeff Moss posted to Twitter that the DEF CON forums were temporarily shut down. Inj3ct0r also claims to have used the same zero-day vulnerability in vBulletin to infiltrate the DEF CON forum.

“You are late, we made a backup sites that we care about you too. LOL,” Inj3ct0r posted to Facebook this morning.

Inj3ct0r claims to run a database of exploits and vulnerabilities [www[.]1337day[.]com and acts as a resource for researchers and security professionals.

“The 1337day team specializes solely in bug research, not malicious actions,” the website says.

Inj3ct0r also claimed responsibility for the MacRumors Forum hack and used the zero-day to obtain a moderator’s password and steal the password database.

The hackers posted to the MacRumors Forum shortly after the attack that would not leak the password data. Editorial director Arnold Kim confirmed the legitimacy of the post to Threatpost last week; the hackers posted a portion of Kim’s password hash and salt as proof.

Kim quickly alerted users of the breach and he too advised his members to change their passwords, not only on the forum but anywhere else they might have used the same password.

“We’re not going to ‘leak’ anything. There’s no reason for us to. There’s no fun in that. Don’t believe us if you don’t want to, we honestly could not care less,” the hacker wrote. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results.”

In the same post last week, the hacker hinted too that version 3.x.x of vBulletin was more secure than later releases and that the blame should not put on outdated vBulletin software.

The attack on free Linux distribution Ubuntu in July affected close to 2 million of its forum account members as they were able to access every user’s email address and hashed passwords.

“Consider the ‘malicious’ attack friendly,” Inj3ct0r said of the MacRumors attack. “The situation could have been catastrophically worse if some fame-drive idiot was the culprit and the database were to be leaked to the public.”

Suggested articles