The forum of vBulletin was illegally accessed last week, but the website has denied that attackers exploited an unpatched zero-day vulnerability to achieve the hack.
According to a new comment by vBulletin’s techical support lead Wayne Luke, he said that evidence from attackers Inject0r team has led it to believe that it was not down to a zero-day vulnerability in vBulletin. “These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software,” he said.
Despite this, Inject0r Team put the alleged exploit in VBulletin’s server software up for sale for $700. The network attack saw Inject0r Team steal the user identities of customers and encrypted passwords.
It said in a statement that its security team discovered sophisticated attacks on its network and it took the precaution of resetting passwords. “We apologise for any inconvenience this has caused but felt that it was necessary to help protect you and your account,” it said.
Security blogger Graham Cluley, told IT Security Guru that as vBulletin is used by so many sites, but many people would ask how good at security they are themselves. “Of course, there’s great embarrassment for VBulletin in regard to this security breach. If the organisation that ‘makes’ the software can’t keep its own installations secure, what hope do other sites have?”
“Clearly there’s still some uncertainty about what exactly took place, but some online forums aren’t taking any chances and are closing their message boards until they feel confident things are safe again.”