Is there a vBulletin Zero-day Out There?

900,000 passwords have been stolen, and vBulletin has reset them all
900,000 passwords have been stolen, and vBulletin has reset them all

But the true situation is far from clear. Certainly vBulletin was hacked. On Friday it announced, "Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems."

The recent Adobe hack also involved 'encrypted' passwords. At first commentators assumed that the company had meant to say 'hashed' passwords – but it turned out that they really were encrypted, resulting in some serious criticism. Passwords should be hashed rather than encrypted; but since the vBulletin software's standard approach to storing passwords is MD5 (not the best) hash and salt, it can hopefully be assumed that they were hashed rather than encrypted. Independent security expert Graham Cluley pointed to the MacRumors hack: "In that case, the exposed passwords were salted and hashed, but using vBulletin’s standard MD5 algorithm which provides what is generally considered inadequate security."

Either way, some 900,000 passwords have been stolen, and vBulletin has reset them all. The continuing danger is that those passwords can be cracked, and that the users have employed the same passwords elsewhere.

By Sunday Softpedia reported on an email conversation with Inj3ct0r. "We use 0day exploit on vBulletin, got password moderator. 860000 hacked too. The network security is a myth,” said the hackers. Softpedia added that the hackers "have put the vBulletin v4.x.x and 5.?.x shell upload / remote code execution exploit up for sale on"

The threat has been taken seriously. DEF CON, a vBulletin user, quickly took its forums off-line: "We have disabled the forums until there is resolution on a possible vulnerability." Cluley believes this is a good idea. "If you’re running an online forum using VBulletin, you might well feel the safest option is to show an 'abundance of caution' and shut down your message boards until this unholy mess is sorted out," he blogged yesterday.

But now vBulletin has rejected Inj3ct0r's claim of having found a zero-day vulnerability. "Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin," it announced. "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications."

The question now is whether there really is an unknown vulnerability. Hacking vBulletin itself gains publicity for Inj3ct0r, but focuses attention on finding and fixing the vulnerability – making the value of the exploit nil. "Why would you use it against VBulletin itself and then announce on Facebook what you have done?" commented Cluley in an email conversation with Infosecurity. Nevertheless, he added, "there's some confusion right now around VBulletin security and they will need to work hard to keep the rattled confidence of their customers. I wouldn't be surprised at all to see more web forums running VBulletin being taken (at least temporarily) offline, or shifted behind a web application firewall for a higher level of protection."

What’s hot on Infosecurity Magazine?