vBulletin Zero-Day Used to Hack Official vBulletin Website and Foxit Software

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Content source
http://news.softpedia.com/news/vbulletin-zero-day-used-to-hack-official-vbulletin-website-and-foxit-software-495620.shtml
It appears that a zero-day vulnerability in the vBulletin forum package allowed an Egyptian hacker to breach the official vBulletin website and the forums of Foxit Software, which was using vBulletin for its forum section.

The hacker is Mohamed Osama who, as soon as he pulled off the attack, started bragging to @Cyber_War_News on Twitter.

Osama, who also goes by the nickname of Coldroot, went on so far to create a YouTube video of him while hacking vBulletin.com, posting photos on his Facebook profile, and even send images to @Cyber_War_News of the data he acquired in the hack. His YouTube and Facebook posts were eventually deleted.

Egyptian hacker Coldroot claims responsibility
Osama's LinkedIn profile reveals he's a Senior Programmer at Orbit Shield in Dubai, and ironically lists "Cracking" and "Ethical Hacking" as some of his skills.

According to visual evidence that @Cyber_War_News acquired, the hacker managed to break into vBulletin's infrastructure, upload a shell and exfiltrate the company's customer database.

A sample of the database that @Cyber_War_News received confirms that the data contained user IDs, names, email addresses, security questions, their answers, and password salts.

Despite the hacker claiming his intrusion went unnoticed, the breach was detected and discussed by the company towards the end of the past week. At one point, the vBulletin website was put offline for maintenance and continues to be down at the time of this article.

Before going offline, vBulletin's forum stats page listed around 345,000 users. We have contacted the company for a statement.

Foxit Software also hacked, with the same vBulletin exploit
But the bad news doesn't end here. According to the same @Cyber_War_News, after breaching the vBulletin.com website, Coldroot then moved on to the forums of Foxit Software, a company specialized in producing desktop applications.

Foxit was running vBulletin's forum package, and the hacker said he used the same zero-day bug to breach their database, stealing data for around 260,000 customer accounts. Foxit Software forum's statistics section lists over 535,000 accounts.

The hacker claims that the entire Foxit hack took him only two days.
Click to expand...
 
  • Like
Reactions: Ink, LabZero and upnorth
B

BillR5

Level 1
Nov 2, 2015
9
I think exterminator20 is understating the problem (or maybe just assuming we will draw the proper conclusion!): "vBulletin Solutions has reset the passwords for over 300,000 [maybe 345,000?] accounts on its website." Lost data included security questions, answers, and password salts. In addition, Foxit Software, which uses vBulletin's forum package, has had "around 260,000 customer accounts" breached (of 535,000, so maybe more?). "More than 100,000 community websites are using vBulletin, including some operated by Zynga, Electronic Arts, Sony Pictures, NASA, Valve Corporation and other well known companies and organizations," so they may be vulnerable the claimed zero day exploit. 100,000+ forums!

I'll go out on a limb and say that this has the potential to be the biggest _known_ breach after CyberVor's 1.2 billion compromised accounts (which was apparently a collection of breeches over time using a variety of techniques). [Edit: fixed grammar.]
 
Last edited:
Secondmineboy

Secondmineboy

Level 26
Verified
May 25, 2014
1,559
BillR5 said:
I think exterminator20 is understating the problem (or maybe just assuming we will draw the proper conclusion): "VBulletin Solutions has reset the passwords for over 300,000 [maybe 345,000?] accounts on its website." Lost data included security questions, answers, and password salts. In addition, Foxit Software, which uses VBulletin's forum package has had "around 260,000 customer accounts" (of 535,000, so maybe more) breached. "More than 100,000 community websites are using vBulletin, including some operated by Zynga, Electronic Arts, Sony Pictures, NASA, Valve Corporation and other well known companies and organizations," so they may be vulnerable the claimed zero day exploit. 100,000+ forums! I'll go out on a limb and say that this has the potential to be the biggest _known_ breach after CyberVor's 1.2 billion compromised accounts (which was apparently a collection of breeches over time using a variety of techniques).
Click to expand...
In some years you need to update your system minutes after the patch is out or you will get hacked..........
AVs will be pointless. Everyone is using Linux and no longer Windows. You will have a virus every week or so.
At some point you cant open a browser without getting infected.

^^I dont even want to think about such stuff
 
B

BillR5

Level 1
Nov 2, 2015
9
ERROR - MacRumors was a 2013 breach. Oops. Back to ~480,000 accounts. (What an appropriate name given my own actions.)
Also, some reports have referred to the culprit as Coldroot while others have used ColdZer0.
-----
MacRumors, also a user of vBulletin, suffered a security breach of 860,000 password hashes. If all three breaches included (please, soundly hashed) passwords, then we are already pretty close to 1.5 million, probably including one of mine.

Silver lining? Over the weekend, Coldroot only claimed to have data on 479,895 users. Maybe my password wasn't leaked.
 
Last edited:
B

BillR5

Level 1
Nov 2, 2015
9
Secondmineboy said:
In some years you need to update your system minutes after the patch is out or you will get hacked..........
Click to expand...
Then, if not before! vBulletin published a couple of updates Monday. I suspect (guess) that patching, investigation, and fear/abundance-of-caution all contribute to the reported dozens of forums that are/were shutdown.
 
I

Ink

Administrator
Verified
Jan 8, 2011
22,490
Secondmineboy said:
In some years you need to update your system minutes after the patch is out or you will get hacked..........
AVs will be pointless. Everyone is using Linux and no longer Windows. You will have a virus every week or so.
At some point you cant open a browser without getting infected.
Click to expand...
That's an extreme viewpoint, and in my opinion unrealistic. More than likely, you will be "hacked" by human error (person behind the screen).
 
  • Like
Reactions: Secondmineboy and upnorth
You must log in or register to reply here.

Similar threads

I Walk MY Way
    • Wow
    • Like
    • Sad
Security News Snowflake hack - Ticketmaster and others affected
Replies
6
Views
4,022
Security News
vtqhtr413
vtqhtr413
I
    • Like
Crypto Opinions & News Malicious Chrome extension steals crypto from Binance accounts
Replies
0
Views
652
Crypto News
Ink
I
Gandalf_The_Grey
    • Wow
    • Like
Security News Fortinet confirms data breach after hacker claims to steal 440GB of files
Replies
0
Views
1,377
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top