vBulletin, Foxit forums hacked, attacker exploited a zero-day flaw?

On Monday, a vBulletin support manager has announced on the company’s forums that they are forcing a password reset for all of its customers.

“Very recently, our security team discovered a sophisticated attack on our network. Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems,” she explained, and advised users to choose a new password that they haven’t used on the company’s website or anywhere else.

Simultaneously, a vBulletin technical support lead announced a security patch release for versions 5.1.4 through 5.1.9 of the popular vBulletin Internet forum software. There were no details about what hole(s) the patch plugs.

The announcements aren’t officially connected, but there are indications that the breach, executed on October 31, happened due to someone exploiting the now patched security issue.

In fact, it seems that another popular forum built on the vBulletin software has also been hit in the same manner: the Foxit Software’s forum. Unlike vBulletin’s forums, Foxit’s still remain offline.

So, who did it?

According to information presented by Dissent over at the Office of Inadequate Security, a hacker who goes by the handle Coldzer0 has apparently breached both forums, and has published evidence on YouTube and Facebook, including a screenshot that shows he gained shell access to vBulletin’s server. These videos and images have since been removed.

Coldzer0 claims to have obtained information on over 260,000 accounts on Foxit forum’s, and user IDs, names and email addresses, security questions and answers in plaintext, and password salts of some 480,000 subscribers.

But how did he manage to execute the hack?

A post by Coldzer0 that appeared on Monday on 0DAY.today says he is selling an exploit for a SQL injection vulnerability that he exploited to perform remote code execution on vBulletin’s servers. He even provided video proof of it.

Until vBulletin confirms any of this, administrators of sites using the software for their forums can only hope that the patch fixes that particular flaw, and move to implement it as soon as possible.

Don't miss