Web forum software provider vBulletin has issued statements denying the existence of an unmitigated zero-day flaws, insisting instead that hackers breached the company’s networks by way of a vulnerable application testing system.
A hacker collective called Inj3ct0r Team have been asserting that they were able to compromise vBulletin.com by exploiting a zero-day vulnerability that affects vBulletin versions 4.x and 5.x, exposing users’ login credentials. while the breach has been confirmed, the method is still unknown.
“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password,” vBulletin’s Lead Technical Support Wayne Luke wrote in a blog post late last week.
In a very brief follow up post, Luke stated “Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin. These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software.”
Inj3ct0r Team is also being connected to the hack of MacRumors last week using the same zero-day vulnerability, and the same group has apparently also breached the DEFCON user forums with claims they have made copies of the systems’ database prior to the admins shutting down the site as a security precaution.
Regardless of vBulletin’s denials, the alleged zero-day vulnerability has been available for purchase on the black market for $700 since shortly after the MacRumors hack, and just a short time prior to the vBulletin announced their systems were compromised.