Announcement

Collapse
No announcement yet.

password needs to be reset

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    Please refer to the announcement forum for any further information.

    Leave a comment:

  • waldvb
    Senior Member

  • waldvb
    replied
    According to this page:
    http://arstechnica.com/security/2013...0-day-attacks/

    "We got shell, database and root server," the Inject0r Team Facebook post claimed. "We wanted to prove that nothing in this world is safe. We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x."
    Hacks on sites using the widely used forum software spread to its maker.

    Leave a comment:

  • Paul M
    Former Lead Developer
    vB.Com & vB.Org

  • Paul M
    replied
    Originally posted by ManagerJosh View Post
    With the level of access the attackers had, were our security questions accessible? Were they viewed?
    If they wanted to view them, and knew where to look, then yes, they could have.

    The IT people are still reviewing various logs and other items to determine what we can say for certain they read.
    If logs say they accessed something, then we know they did, if logs dont say it, then all we can say is they could have, but we cant confirm it.

    Leave a comment:

  • ShyGuy82
    Senior Member

  • ShyGuy82
    replied
    For people whos getting a message to change the password more than once: I too changed my password and was prompted to change it again. It's a caching problem. CTRL+F5 fixes it.

    Leave a comment:

  • ManagerJosh
    Senior Member

  • ManagerJosh
    replied
    Originally posted by Wayne Luke View Post

    No... There is no indication of that.
    Wayne, Whether they were viewed is one question. Whether they were potentially accessible by the attackers is another.

    Therefore let me rephrase my questions .

    With the level of access the attackers had, were our security questions accessible? Were they viewed?

    Leave a comment:

  • Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    Originally posted by ManagerJosh View Post
    Were our license security questions accessible?
    No... There is no indication of that.

    Leave a comment:

  • ManagerJosh
    Senior Member

  • ManagerJosh
    replied
    Were our license security questions accessible?

    Leave a comment:

  • beishe8
    Senior Member

  • beishe8
    replied
    Originally posted by donald1234 View Post

    Is there some kind of forum war going on here, who are all these new sign ups?
    Join Date: Jun 2012

    Leave a comment:

  • GrnEyedDvl
    New Member

  • GrnEyedDvl
    replied
    Originally posted by Wayne Luke View Post
    Emails were sent to all valid customer emails on Saturday for both vBulletin.com and vBulletin.org. If you did not receive the email, you should verify that your customer account has a valid and properly working email. You should also add vbulletin.com to your white list of email addresses.
    I can confirm that the emails went out, I got mine late Saturday or early Sunday.




    These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software.
    However I have a HUGE problem with how/why this happened. Why the hell were you guys using a copy of your live database on a test system? That just isn't very smart. The reason its a test system is so you can find its weaknesses, and those weaknesses (by virtue of being a weakness) exposed your customers only because you used live data. The very least you can do if you want to run a test against a big user base is write a script that changes everyone's email address and hash to something other than their real login information.

    Systems can have bugs, I accept that as normal. And beyond a doubt you have to have test systems setup. But what you do NOT have to do is put real live information on those systems. Spend 10 minutes and write a script that generates a million users all with BS information if you want a large user base.













    Leave a comment:

  • Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    Originally posted by ToBeFree View Post
    Mind to explain why we didn't get an email about that? Why did I have to get this information here: http://www.heise.de/security/meldung...m-2048182.html ...instead of recieving information from you? Do you expect every user to login here every few days and to see that notice when logging in? Really?

    By the way, where is the thumbs-down smiley? Didn't expect that it would be needed one day?
    Emails were sent to all valid customer emails on Saturday for both vBulletin.com and vBulletin.org. If you did not receive the email, you should verify that your customer account has a valid and properly working email. You should also add vbulletin.com to your white list of email addresses.

    Leave a comment:

  • Paul M
    Former Lead Developer
    vB.Com & vB.Org

  • Paul M
    commented on 's reply
    Yes, they would have had access if they had chosen to use it.
  • MoreLinux
    Member

  • MoreLinux
    replied
    @ToBeFree, there were emails send out. From vbulletin.com and vbulletin.org. Maybe they were send only to the license holder, so you might want to check with that person?

    Leave a comment:

  • donald1234
    Senior Member

  • donald1234
    replied
    Originally posted by ToBeFree View Post
    Mind to explain why we didn't get an email about that? Why did I have to get this information here: http://www.heise.de/security/meldung...m-2048182.html ...instead of recieving information from you? Do you expect every user to login here every few days and to see that notice when logging in? Really?

    By the way, where is the thumbs-down smiley? Didn't expect that it would be needed one day?
    Is there some kind of forum war going on here, who are all these new sign ups?

    Leave a comment:

  • Guest
    Guest

  • Guest
    Guest replied
    Mind to explain why we didn't get an email about that? Why did I have to get this information here: http://www.heise.de/security/meldung...m-2048182.html ...instead of recieving information from you? Do you expect every user to login here every few days and to see that notice when logging in? Really?

    By the way, where is the thumbs-down smiley? Didn't expect that it would be needed one day?

    Leave a comment:

  • MoreLinux
    Member

  • MoreLinux
    replied
    @vBulletin team, **** happens. Thanks for the fast response and fast informing everybody.

    @the rest, the best thing everybody here can do is go home and keep an eye on your vBulletin board. Keep the board, server very up to date with patches. Also make sure you change your admin password on your own site too!! Maybe also on all the websites where you used the same email address as you used here.

    Leave a comment:

Related Topics

Collapse

Working...
X