It was discovered last Saturday that an attacker was able to steal thousands of user accounts, passwords, and e-mails from phpBB.com.\u00a0 phpBB is open source and one of the most popular internet forum packages.\u00a0 The attack utilized a 0-day-exploit in the PHPList third party application to gain access to the site’s server’s password and configuration files.\u00a0 Later, the attacker made a blog post stating that (s)he had managed to acquire over 400,000 account details.\u00a0 To substantiate the claims, the attacker then posted the PHPList email list and the phpBB.com’s user table.<\/p>\n
As this was a zero day attack, at the time there was no patch that could have prevented this attack. However, PHPList was patched two weeks after the vulnerability was discovered.\u00a0 The exploit was first published in mid-January, coinciding with the time in which the attacker had access to the files.\u00a0 It is likely that the attacker learned the exploit from its publication and used it to attack phpBB.<\/p>\n
A number of things could have been done to reduce the impact of this exploit.\u00a0 First, the publication of the exploit could have been delayed until a patch was developed.\u00a0 This potentially could have allowed the phpBB.com administrators to close the vulnerability before the attacker discovered that it had existed.\u00a0 If the administrators had also encrypted user information such as emails and account names, the attacker would not be able to decipher them in any meaningful amount of time.\u00a0 Finally, the passwords that the attacker was able to glean from the information were from passwords with unsalted MD5 hashes.\u00a0 Salting the hash would have significantly increased the passwords’ resistance to attacks.\u00a0 Additionally, using a different hash such as SHA-1 would have increased security.\u00a0 It has been fairly recently discovered that MD5 suffers from some design flaws that leave it susceptible to collisions.<\/p>\n
Unfortunately, not too much further can be done about responding to these kinds of attacks.\u00a0 Administrators may be more wise about encrypting identifiable information, but given that this is already known, it seems that administrators in general have not yet learned that lesson.\u00a0 Legally, it is already against the law to intrude into other people’s systems.\u00a0 When it is very hard to detect and identify an attacker, law does not prove to be an adequate deterrent.\u00a0 Users may become more increasingly aware that their identifiable information can be stolen if they share it with other parties, but ultimately they can’t avoid doing that indefinitely (or it may prove to be too inconvenient to avoid interaction).\u00a0 Encrypting user information would do well to mitigate the damage of information leakages, but given the way most organizations have failed to do so thus far and are continually leaking information, this may take additional education and maybe even legislation.<\/p>\n
link:
\nhttp:\/\/www.securityfocus.com\/brief\/902
\nhttp:\/\/www.heise-online.co.uk\/security\/phpBB-hacked-400-000-account-details-intercepted–\/news\/112567
\nhttp:\/\/www.phpbb.com\/index.php<\/p>\n","protected":false},"excerpt":{"rendered":"
It was discovered last Saturday that an attacker was able to steal thousands of user accounts, passwords, and e-mails from phpBB.com.\u00a0 phpBB is open source and one of the most popular internet forum packages.\u00a0 The attack utilized a 0-day-exploit in … Continue reading