PDA

View Full Version : VBulletin Security Breach



ZippyTheChimp
September 11th, 2013, 05:09 PM
A few days ago, I noticed a new member registered with a red user ID (administrator), and soon after, another one. I contacted Edward, and he had found out about a hack in the VBulletin software that runs WNY. The accounts were deleted, and it appears no harm was done.

However, an administrator has access to member account information, including passwords. Although he can no longer damage the overall forum, he can sign in as an existing member, and cause problems.

It would be wise for every member to change their password.

Thanks to Gordon Gecko for the additional info.

mariab
September 11th, 2013, 07:32 PM
Does that also have anything to do with the missing checkerboard square?

And thanks GG.

GordonGecko
September 12th, 2013, 10:00 AM
Good to know. I've been checking other sites and seems a lot of them have the exploit. It's actually super easy to do, you just have to know the access page and to send the right fields and you're able to register as an admin and then all the privileges associated with that flow through, including access to everyone else's accounts which is why it's a good idea to change your password just as a precaution

ZippyTheChimp
September 12th, 2013, 10:20 AM
Does that also have anything to do with the missing checkerboard square?No.

The website icon (checkerboard) is browser dependent.

For me:

Firefox - No icon for any website in the url address box. But tabs have the icon, which I think is more useful.

Chrome - No icon in the address box or tab.

IE - Icons in both.

hbcat
September 12th, 2013, 10:56 AM
Thanks for the alert. Password updated.

Ninjahedge
September 12th, 2013, 11:10 AM
Zip, I have the icon in the tab, but not the addy box on Chrome Version 29.0.1547.66 m


For now...


Also, I believe mariab was just joking about the icon (as if they "stole" the checkerbox...).

Just guessing!

GordonGecko
September 12th, 2013, 12:51 PM
for the checkerboard to show up in chrome, all the site has to do is make sure the favicon.ico file is in the root folder

eddhead
September 12th, 2013, 01:44 PM
Given GG's comments on the ease of posing as an admin, how effective is changing passwords? Don't we run the risk of this happening again?

I am not even going to pretend to know what I am talking about here, so at the risk of being laughed at ... can anything be done to change the "flows" or "layouts" in order to make a second hacking more difficult?

ZippyTheChimp
September 12th, 2013, 02:29 PM
The ability to register as an administrator was a VBulletin problem.No one since the two I mentioned has signed on with admin privileges. But it is possible that before they were removed, they may have accessed member profiles and recorded passwords. That would give them the ability to sign on as members.

That brings up another point. Passwords that are used for forums - or things like YouTube or Flickr - should not be the same (or similar) to what I call hard passwords, those for secure sites like credit card and bank accounts.

Ninjahedge
September 12th, 2013, 03:47 PM
Zip, it might be a good idea to freeze any inactive accounts (requiring an admin reactivation to post).

You can decide what period of time is inactive, but if they could have gotten any account, I am sure there are a few older ones that could have been compromised and not have their PW's changed...

hbcat
September 12th, 2013, 08:15 PM
What would be the motivation behind hacking a forum?

lofter1
September 18th, 2013, 12:58 AM
Maybe Brooklyn Rider came by for a secret visit?

Ninjahedge
September 18th, 2013, 11:27 AM
:(

Edward
September 20th, 2013, 11:52 AM
I would like to clarify that an administrator can change a password for any account, but does not see a current password. An administrator can not write down your password and use it on other website. If administrator gained an access to your account by changing the password, you current password would not work and you would notice.

In this particular incident, it looks like hackers just registered and did not do anything malicious. At this moment these accounts are deleted and the exploit closed.