RexHacker managed to deface the Forum and uploaded its custom message page
as shown and account information of 79,500 registered users' may have
been compromised. (The forum was defaced at the time of writing - Check Here)
The popular website MacRumors's Forum was compromised in last November using an alleged zero day exploit, which is based on vBulletin, a famous forum software. The openSUSE Forum is also based upon vBulletin.
Another interesting fact is that openSUSE is still using vBulletin 4.2.1, which is vulnerable to inject rogue administrator accounts flaw. Whereas, the latest patched vBulletin 5.0.5 is available. Possibly, Hacker exploits same or another known vBulletin version 4.2.1 vulnerability to access the website's administrative panel.
Zone-H Mirror of the defaced page: http://zone-h.org/mirror/id/21473823
It seems that openSUSE team is even not aware about the data breach, but we have informed them and also trying to contact RexHacker for further information on this.
Update (7:00 PM Tuesday, January 7, 2014 GMT): The Pakistani Hacker confirmed is that has uploaded a PHP shell on the forum server using his own Private vBulletin's zero-day exploit, that allows him to browse, read or write/overwrite any file on the Forum server without root privileges.
There are a few screenshots shared by hacker with us:
Update (7:00 PM Tuesday, January 7, 2014 GMT): The Pakistani Hacker confirmed is that has uploaded a PHP shell on the forum server using his own Private vBulletin's zero-day exploit, that allows him to browse, read or write/overwrite any file on the Forum server without root privileges.
There are a few screenshots shared by hacker with us:
He also claimed to have the full access
to the user's database, however he has promised not to disclose the
database dump because the purpose of the hack is only to highlight the
security weakness.
Another important claim by RexHacker that vBulletin 5.0.5 latest version is also vulnerable to his zero-day exploit and there is no patch yet available to fix it. He noticed that after our news report, the Server administrator has removed the defaced page, but to proof his exploit he has uploaded another file on the server again:
Another important claim by RexHacker that vBulletin 5.0.5 latest version is also vulnerable to his zero-day exploit and there is no patch yet available to fix it. He noticed that after our news report, the Server administrator has removed the defaced page, but to proof his exploit he has uploaded another file on the server again:
There are thousands of Forums using vBulletin
software and many of them are huge huge.. Well hacker has not shared
any information about the vulnerability, but we are sure that official vBulletin team will consider this critical threat to fix with high priority.
Update (7:24 PM Tuesday, January 7, 2014 GMT): openSUSE team has informed the users' via tweets about the breach,"Warning: Our forums are down because they were defaced. We're currently investigating what exactly has happened."
Update (7:24 PM Tuesday, January 7, 2014 GMT): openSUSE team has informed the users' via tweets about the breach,"Warning: Our forums are down because they were defaced. We're currently investigating what exactly has happened."
But they have mentioned that, "Rest
assured, no user credentials have been leaked as we use a single sign on
system for our services. Note that we use SSO so we don't think we lost
any account data."
After openSUSE's tweet, RexHacker has shared some sample database screenshots on his Facebook
account to prove the database hack. We have partially blur the
screenshot before sharing, to keep sensitive data secure, as shown
above.
Update (4:00 AM Wednesday, January 8, 2014 GMT): In a blog post,
openSUSE team confirmed that their website and database have been
hacked, but users' passwords are not compromised.
A cracker managed to exploit a vulnerability in the forum software
which made it possible to upload files and gave access to the forum
database.
The team explained, they are using single-sign-on system (Access Manager
from NetIQ) that manage the real passwords.
Credentials for your openSUSE login are not saved in our application
databases as we use a single-sign-on system (Access Manager from NetIQ)
for all our services. This is a completely separate system and it has
not been compromised by this crack. What the cracker reported as
compromised passwords where indeed random, automatically set strings
that are in no way connected to your real password.
0 comments :
Post a Comment