So a few days ago the Ubuntu Forums got hacked via SQLInjection ... wow ... what a bummer Data base was dumpt with usernames and passwords etc (passwords where salted...)
so this is the news but i wanted to start this thread as a Discussion.
SQL Injection, a F*/%$ng problem form the late 90's ... how is this still a thing? Its 2016 ... especially from some one like Cononical/Ubuntu ... what are your thoughts on this??
UBUNTU Forum HAXED :P
Moderator: Community Moderator
- MrNiitriiX
- Premium Uploader
- Posts: 2197
- Joined: 19 Apr 2010, 14:52
- Location: between space and time
- Has thanked: 24 times
- Been thanked: 164 times
- OnTheLimit
- R.I.P
- Posts: 50330
- Joined: 30 Nov 2011, 18:08
- Status: Court Jester and Agent Provocateur
- Has thanked: 55 times
- Been thanked: 78 times
Re: UBUNTU Forum HAXED :P
For every lock, there must be a key.
It seems that information on 2 million Ubuntu users was breached, not from an exotic zero-day attack, but, as MrNiitriix correctly stated, from a known SQL injection vulnerability that Canonical should have patched. Certainly, Canonical isn't unique here, as more often than not, in many breaches, it is known, already-patched vulnerabilities that are identified as a root cause. In this instance, it seems that the flaw exists within in the Forumrunner add-on for the vBulletin forum software. Though Canonical is constantly updating its Ubuntu software, apparently the organization had neglected to update Forumrunner and vBulletin to be up-to-date with the latest patches.
To its credit though, Canonical didn't have easily readable passwords stored in its forums user database. The Ubuntu user forums make use of the Ubuntu single sign-on approach, which did not store user passwords in the forums database. Rather, the password credentials for users were present in the user database as random strings of data.
That doesn't mean that there isn't a risk, as attackers now have a list of 2 million Ubuntu users, complete with their email addresses and IP addresses that could perhaps be used for phishing or other wrongdoing.
As a fix for the breach, Canonical has patched vBulletin and put in place a Web application firewall (WAF)—both actions that should have been present prior to the breach. Canonical is using the open-source ModSecurity WAF, which can be configured and used to limit the risks of potential SQL injection attacks.
For me, the bottom line is simple. It wasn't. Do we ascribe this one to a human error?
It seems that information on 2 million Ubuntu users was breached, not from an exotic zero-day attack, but, as MrNiitriix correctly stated, from a known SQL injection vulnerability that Canonical should have patched. Certainly, Canonical isn't unique here, as more often than not, in many breaches, it is known, already-patched vulnerabilities that are identified as a root cause. In this instance, it seems that the flaw exists within in the Forumrunner add-on for the vBulletin forum software. Though Canonical is constantly updating its Ubuntu software, apparently the organization had neglected to update Forumrunner and vBulletin to be up-to-date with the latest patches.
To its credit though, Canonical didn't have easily readable passwords stored in its forums user database. The Ubuntu user forums make use of the Ubuntu single sign-on approach, which did not store user passwords in the forums database. Rather, the password credentials for users were present in the user database as random strings of data.
That doesn't mean that there isn't a risk, as attackers now have a list of 2 million Ubuntu users, complete with their email addresses and IP addresses that could perhaps be used for phishing or other wrongdoing.
As a fix for the breach, Canonical has patched vBulletin and put in place a Web application firewall (WAF)—both actions that should have been present prior to the breach. Canonical is using the open-source ModSecurity WAF, which can be configured and used to limit the risks of potential SQL injection attacks.
For me, the bottom line is simple. It wasn't. Do we ascribe this one to a human error?
Clicking the "Thanks" button is a great motivator and a much appreciated courtesy!
All member donations, no matter how small, go directly towards keeping the servers up and the lights on!
All member donations, no matter how small, go directly towards keeping the servers up and the lights on!
- MrNiitriiX
- Premium Uploader
- Posts: 2197
- Joined: 19 Apr 2010, 14:52
- Location: between space and time
- Has thanked: 24 times
- Been thanked: 164 times
Re: UBUNTU Forum HAXED :P
Human error or not... this is the second time this has happend to cononical and a few months ago a similar issue with the Mint team (was a wordpress vulnerability if i recall correctly), which resulted in the download link redirecting to a modified ISO which had a backdoor in it.
The upside of this is that the linux community seems to be up front about these issues unlike companies like Microsoft who seems to keep pretty hush about breaches (potentially putting its users at risk). So that being said good on Ubuntu/Mint.
On the other side not only was it a preventable issue there is still a flaw which i can see at the time of writing this (they are still leaking server info):|
making it easier for potential hackers to gain access in the future...IMHO this is basic security that should be addressed...
**EDIT
to elaborate why showing sever info is not a good idea... a simple google search for: "apache 2.4.7 vulnerabilities" gives this...
The upside of this is that the linux community seems to be up front about these issues unlike companies like Microsoft who seems to keep pretty hush about breaches (potentially putting its users at risk). So that being said good on Ubuntu/Mint.
On the other side not only was it a preventable issue there is still a flaw which i can see at the time of writing this (they are still leaking server info):|
making it easier for potential hackers to gain access in the future...IMHO this is basic security that should be addressed...
**EDIT
to elaborate why showing sever info is not a good idea... a simple google search for: "apache 2.4.7 vulnerabilities" gives this...
Spoiler: show
Last edited by MrNiitriiX on 19 Jul 2016, 13:26, edited 5 times in total.
- OnTheLimit
- R.I.P
- Posts: 50330
- Joined: 30 Nov 2011, 18:08
- Status: Court Jester and Agent Provocateur
- Has thanked: 55 times
- Been thanked: 78 times
Re: UBUNTU Forum HAXED :P
No question about it, someone at Canonical dropped the ball.
Clicking the "Thanks" button is a great motivator and a much appreciated courtesy!
All member donations, no matter how small, go directly towards keeping the servers up and the lights on!
All member donations, no matter how small, go directly towards keeping the servers up and the lights on!