Results 1 to 14 of 14

Thread: VBulletin Security Breach

  1. #1

    Default VBulletin Security Breach

    A few days ago, I noticed a new member registered with a red user ID (administrator), and soon after, another one. I contacted Edward, and he had found out about a hack in the VBulletin software that runs WNY. The accounts were deleted, and it appears no harm was done.

    However, an administrator has access to member account information, including passwords. Although he can no longer damage the overall forum, he can sign in as an existing member, and cause problems.

    It would be wise for every member to change their password.

    Thanks to Gordon Gecko for the additional info.

  2. #2

    Default

    Does that also have anything to do with the missing checkerboard square?

    And thanks GG.

  3. #3
    Forum Veteran
    Join Date
    Feb 2008
    Location
    New York City
    Posts
    2,126

    Default

    Good to know. I've been checking other sites and seems a lot of them have the exploit. It's actually super easy to do, you just have to know the access page and to send the right fields and you're able to register as an admin and then all the privileges associated with that flow through, including access to everyone else's accounts which is why it's a good idea to change your password just as a precaution

  4. #4

    Default

    Quote Originally Posted by mariab View Post
    Does that also have anything to do with the missing checkerboard square?
    No.

    The website icon (checkerboard) is browser dependent.

    For me:

    Firefox - No icon for any website in the url address box. But tabs have the icon, which I think is more useful.

    Chrome - No icon in the address box or tab.

    IE - Icons in both.

  5. #5

    Default

    Thanks for the alert. Password updated.

  6. #6
    Chief Antagonist Ninjahedge's Avatar
    Join Date
    Sep 2003
    Location
    Rutherford
    Posts
    12,773

    Default

    Zip, I have the icon in the tab, but not the addy box on Chrome Version 29.0.1547.66 m


    For now...


    Also, I believe mariab was just joking about the icon (as if they "stole" the checkerbox...).

    Just guessing!

  7. #7
    Forum Veteran
    Join Date
    Feb 2008
    Location
    New York City
    Posts
    2,126

    Default

    for the checkerboard to show up in chrome, all the site has to do is make sure the favicon.ico file is in the root folder

  8. #8

    Default

    Given GG's comments on the ease of posing as an admin, how effective is changing passwords? Don't we run the risk of this happening again?

    I am not even going to pretend to know what I am talking about here, so at the risk of being laughed at ... can anything be done to change the "flows" or "layouts" in order to make a second hacking more difficult?

  9. #9

    Default

    The ability to register as an administrator was a VBulletin problem.No one since the two I mentioned has signed on with admin privileges. But it is possible that before they were removed, they may have accessed member profiles and recorded passwords. That would give them the ability to sign on as members.

    That brings up another point. Passwords that are used for forums - or things like YouTube or Flickr - should not be the same (or similar) to what I call hard passwords, those for secure sites like credit card and bank accounts.

  10. #10
    Chief Antagonist Ninjahedge's Avatar
    Join Date
    Sep 2003
    Location
    Rutherford
    Posts
    12,773

    Default

    Zip, it might be a good idea to freeze any inactive accounts (requiring an admin reactivation to post).

    You can decide what period of time is inactive, but if they could have gotten any account, I am sure there are a few older ones that could have been compromised and not have their PW's changed...

  11. #11

    Default

    What would be the motivation behind hacking a forum?

  12. #12
    Disgruntled Optimist lofter1's Avatar
    Join Date
    Jun 2005
    Location
    NYC - Downtown
    Posts
    32,654

    Default

    Maybe Brooklyn Rider came by for a secret visit?

  13. #13
    Chief Antagonist Ninjahedge's Avatar
    Join Date
    Sep 2003
    Location
    Rutherford
    Posts
    12,773

    Default


  14. #14

    Default

    I would like to clarify that an administrator can change a password for any account, but does not see a current password. An administrator can not write down your password and use it on other website. If administrator gained an access to your account by changing the password, you current password would not work and you would notice.

    In this particular incident, it looks like hackers just registered and did not do anything malicious. At this moment these accounts are deleted and the exploit closed.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Google+ - Facebook - Twitter - Meetup

Edward's photos on Flickr - Wired New York on Flickr - In Queens - In Red Hook - Bryant Park - SQL Backup Software