
Password hack of vBulletin.com - eksith
http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/
======
robomartin
I own a license of vBulletin. After approximately a year of experience with
their codebase I decided that burning off my eyeballs with a hot spoon would
be more fun. I wouldn't know where to start to describe just how bad their
software is.

It doesn't end there. The folks who own vBulletin run a whole series of
communities themselves:

[http://www.internetbrands.com/](http://www.internetbrands.com/)

At one point into configuring vBulletin I realized they had code in there that
would allow them to monitor your site's traffic and performance. Which is
genius if you run hundreds of sites yourself and want "probes" out there to
discover areas that you could launch sites into. And, it is even more
brilliant if you can have these "probes" be people who pay you to use software
you produce. Imagine thousands of business experiments actually paying you and
feeding you audience data. That really didn't sit well with me and a number of
people who were awake while installing and configuring their vB software. The
vast majority of folks running vB communities either don't care or don't have
a clue.

There are other issues. Maybe someone else has the time to chime in.

I guess my point is that password security might not be at the top of their
priority list.

~~~
csmuk
Some good points there. I've always kept an eye on such business practices.

I worked for a SaaS ecommerce outfit a few years ago and they sold their stuff
to all the competitors in the same market space. After a bit, they yanked it
with 28 days' notice and went into direct competition with them. Assholes.
Strikes me as the same sort of company.

~~~
robomartin
Well, just go to their website (link in prior post) and you can see they run
hundreds of forums. That always rubbed me the wrong way. I didn't learn about
this until much after I purchased my vB license. Had I seen this prior to
making that decision I would not have used their software. I wasn't trying to
build a large community. I just thought it was a huge violation of ethics to
sell people software and then go off and compete with your own customers. This
isn't disclosed in the vB site. You have to dig to find who owns vB and then
it's kind of in the fine print. The average prospective buyer is unlikely to
discover this until much later, if ever.

------
SilkRoadie
It is a joke isn't it. "Security" lol

There are 2 types of websites. Those which are important enough for you to
remember a password for and those which aren't. Well the 50 or so which aren't
important enough have one password and this password has been compromised at
least 5 times this year. As far as I know people haven't been logging into my
accounts but I guess there is nothing stopping them.

I find it really difficult to understand how this happens so often. In many
cases it seems like security is an after-thought and procedures are poorly
implemented.

If it is true that the vulnerability exploited has been in vB since version
4.. that means it has been there for 3 years! I wonder how sophisticated it
really was? I wonder when the vBulletin last got an external security audit
done..

------
CalRobert
When I was working with the company that produces vBulletin, I wasn't exactly
dazzled by their competence.

~~~
csmuk
As someone who had to look after a relatively large vBulletin install (13000
users) for a number of years, I wasn't exactly dazzled by their competence
either!

I'd go as far to say that vBulletin is a pile of crap.

~~~
cdr
Sure vB is crap... and then you look at the other options out there and
realize they're even worse. Especially 5-10 years ago when many of the sites
using vB started using it. It's wildly successful - at least in the niche I'm
familiar with - for a reason. It's reasonably cheap, reasonably easy to work
with even for nontechnical people, works reasonably well, and looks decent.

~~~
csmuk
Please don't make excuses for it.

I've had to deal with the multi-day aftermath of an XSS worm twice. That's
when you realise that it's as bad as it is. After that it was "get fucked" and
move to phpbb which while is not a stellar product it seems to be put together
with a modicum of common sense and has a responsive community and support.

~~~
hfern
What were your thoughts on XenForo?

~~~
csmuk
Hell no. It's based on the Zend framework which is an even greater pile of
rot!

~~~
sampk
For real? Oh a spaghetti fan I see.

~~~
csmuk
Nope. Just not a fan of adding piles of abstraction on top of something that
just crawls already. To be honest I'd use a different language/platform if you
need to use patterns like that where they perform (java/c#).

Bit of a "no true scotsman" that one as well. Just because someone doesn't use
Zend doesn't mean they write spaghetti.

------
JohnTHaller
I wish they would refer to password hashes as password hashes and not call
them 'encrypted passwords'. Encrypted passwords screams that you don't
understand security and were storing real passwords instead of hashes. (Or,
more properly, salted hashes.)

~~~
kijin
Maybe we should just give up and tolerate the non-technical usage of those
terms. The situation with "hash" vs. "encrypt" seems just as hopeless as with
"hacker" vs. "cracker".

~~~
Pxtl
I realize "hash" is too technical, but "encrypt" is a technical term with a
different meaning.

If they'd just used a vague handwavy word like "encoded" we'd be left
wondering what they did to the passwords and it would still be just as legible
to the laymen, instead of being given an actually _incorrect_ piece of
information.

And a "cracker" is a subset of hackers. So as much as it makes self-identified
hackers cringe, it is correct to say that a hacker broke into a system.

"encoded passwords".

~~~
kijin
In ordinary usage, "encrypt" means "to change information from one form to
another, especially to hide its meaning" (Merriam-Webster). It doesn't
necessarily mean _reversible_ , although in programmer jargon it does.

So hashing is a subset of encrypting, just like crackers are a subset of
hackers.

~~~
ReidZB
I'd think "ordinary usage" would be by cryptographers and other cryptography-
related personnel, not laypeople. Most of the people around where I live don't
even know what cryptography is, and it's hit-and-miss whether or not they've
heard of encryption.

From a theoretical point of view, hash functions are not _only_ a subset of
block ciphers: hash functions and block ciphers are equivalent. You can take a
hash function and build a block cipher from it (use a Feistel network). You
can also take a block cipher and build a hash function from it (use the
Merkle–Damgård construction).

But even if you can build one from the other, saying something is 'encrypted'
implies, in even the meanest definition, that it can be decrypted. If the
layperson definition does not include this aspect, then it is, well, wrong.
Even if you disagree on this point, I would expect a tech journalist to
endeavor to use the correct, field-standard terminology, regardless, because
as Pxtl says, anyone who is familiar with even the basics of cryptography will
interpret "encrypted password" in an incorrect way (i.e., they'll see it as
what Adobe did).

------
buro9
This explains the email received a few days ago:

> We take your security and privacy very seriously. Very recently, our
> security team discovered sophisticated attacks on our network, involving the
> illegal access of forum user information, possibly including your password.
> Our investigation currently indicates that the attackers accessed customer
> IDs and encrypted passwords on our systems. We have taken the precaution of
> resetting your account password. We apologize for any inconvenience this has
> caused but felt that it was necessary to help protect you and your account.

> To regain access to your account:

> Visit the vBulletin forums at
> [http://www.vbulletin.com/settings/account](http://www.vbulletin.com/settings/account)

> Enter in your existing password followed by your new password, twice for
> confirmation.

> Save this page at the bottom.

> Please choose a new password and do not use the same password you used with
> us previously. We also highly recommend that you chose a password that you
> are not using on any other sites.

> If you have any additional questions or concerns, please feel free to
> contact our support team at
> [http://www.vbulletin.com/go/techsupport](http://www.vbulletin.com/go/techsupport)
> or support@vbulletin.com.

> Sincerely,

Of course I reset the password to another generated LastPass one, but I did
wonder what the scope of the attack was.

~~~
pgrote
Are you sure that email was from vbulletin?

I received the same one and it didn't come from vbulletin's domain name. If
you go to the root of the domain name it says "Test page."

When you click the "read in browser" option you are taken to a page where all
the links to access the forums do not work.

I thought it was a phishing attempt.

~~~
buro9
Ah, you are right:

> [http://](http://) click.shopping.ibemail. com/

Not that it matters, I never follow links in emails and went direct to
vbulletin.com

I bet they emailed everyone on their stolen email list though.

------
martinald
This is getting ridiculous now. I've had my password stolen probably at least
four times this year.

I think that the browser developers should push for a keychain of random,
generated passwords and use as many UI pointers as possible to push people to
use these. Apple's implementation in Safari is what we should be aiming for,
but pretty useless to me as I have Linux/Windows/Android devices that don't
support Safari.

~~~
dublinben
Have you tried KeePass or LastPass? They work pretty well on just about every
platform.

~~~
kijin
The problem with KeePass, LastPass, etc. is that you need to hear about them,
look them up, and install them. Things would be much simpler if the browser
included a similar functionality by default.

Unfortunately, all three major browser vendors seem too busy pushing their own
single sign-on schemes (Chrome: Google account, IE: Microsoft account,
Mozilla: Persona). So they're unlikely to pay any attention to plain old
password generation and storage for the foreseeable future. Which is a real
pity because passwords aren't going to disappear overnight.

~~~
dublinben
Instead of using a cross-browser solution that works today, you're complaining
that the browser makers haven't created their own schemes.

~~~
kijin
I use LastPass, thank you very much. My only complaint is that most other
people don't, and I think browser vendors are partly to blame for not doing
what they can to bring about a large-scale adoption of password generation &
storage best practices.

------
BitMastro
Slightly off-topic, but is it common for an hacking team nowadays to have a
facebook page? I could understand twitter for announcements, but the facebook
interaction feels out of place, or is it just me?

Also, "We wanted to prove that nothing in this world is not safe" has a double
negation, so they wanted to prove that there is something out there that could
be safe?

------
CalRobert
Some interesting background reading:
[http://www.theregister.co.uk/2011/05/22/vbulletin_abandons_m...](http://www.theregister.co.uk/2011/05/22/vbulletin_abandons_motion_for_injuction_against_former_devs/)

------
atpfluk
Helped perform hack
[http://facebook.com/HolidayPalaceService](http://facebook.com/HolidayPalaceService)
And then send it to. atpfluk@gmail.com

