Anatomy of a Breach

Anatomy of a Breach: Ubuntu Forums — 1.82 Million Accounts and the Open Source Community Under Fire

> series: anatomy_of_a_breach —— part: 055 —— target: ubuntu_forums —— accounts: 1,820,000 —— method: sql_injection<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2013 11 min read
data-breach ubuntu vbulletin sql-injection open-source community credentials series
Breach #055

1.82 million Linux users' credentials. Stolen through SQL injection. In 2013.

In July 2013, Canonical disclosed that the Ubuntu Forums — ubuntuforums.org — had been compromised through a known SQL injection vulnerability in the vBulletin forum software. The attackers extracted approximately 1.82 million usernames, email addresses, and hashed passwords. The site was taken offline while the breach was investigated and remediated.

The irony was not lost on the security community: a platform serving Ubuntu — one of the most security-conscious operating system communities — had been compromised through SQL injection, the most fundamental web application vulnerability. The vBulletin installation had not been patched to address the known vulnerability. The breach demonstrated that even technically sophisticated communities are vulnerable when the infrastructure that supports them is not maintained with the same rigour as the software they produce.

The Vulnerability
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

SQL injection in vBulletin — a known, patched vulnerability.

The vulnerability exploited was a known SQL injection flaw in vBulletin that had been patched by the vendor. The Ubuntu Forums installation had not applied the patch. This is the same pattern we have documented repeatedly throughout this series: known vulnerability, available patch, patch not applied, breach follows. Cyber Essentials Danzell mandates that critical patches are applied within 14 days — a control that would have prevented this breach entirely.

SQL Injection — The Vulnerability That Will Not Die
From <a href="/blog/anatomy-of-a-breach-heartland-payment-systems">Heartland</a> (2008) through <a href="/blog/anatomy-of-a-breach-hbgary-federal">HBGary</a> (2011) to <a href="/blog/anatomy-of-a-breach-lulzsec">LulzSec's NHS attack</a> (2011) and now Ubuntu Forums (2013), SQL injection has appeared in almost every year of this series. Our <a href="/penetration-testing/web-application">web application testing</a> finds SQL injection in production applications routinely — because organisations routinely fail to patch and test.
Third-Party Software Must Be Maintained
vBulletin, WordPress, Drupal, Joomla — third-party platforms require patching and maintenance. When organisations deploy these platforms and then neglect them, they create the same risk as any unpatched system. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies outdated third-party software.
Community Platforms Serve High-Value Users
Ubuntu Forums users are IT professionals, system administrators, and developers — exactly the people who have privileged access to corporate infrastructure. Their credentials, if reused, provide a pathway into the organisations they work for. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when your staff's credentials appear in breach datasets like this one.
Volunteer-Run ≠ Secure
Community platforms are often maintained by volunteers with limited time and security expertise. The Ubuntu Forums breach was not a reflection of Canonical's corporate security but of the challenges of maintaining volunteer-run infrastructure to enterprise security standards. For any organisation hosting community platforms, <a href="/penetration-testing/web-application">regular web application testing</a> is essential.
Lessons

Patch your platforms. Test your web applications.

The Ubuntu Forums breach teaches a simple lesson that has appeared in every year of this series: known vulnerabilities in web applications must be patched promptly, and web applications must be security tested regularly. Cyber Essentials mandates patching. Our web application testing identifies the SQL injections that patching alone may not address. SOC in a Box monitors for the exploitation attempts that target known vulnerabilities. And UK Cyber Defence provides incident response when a web application breach occurs.

Web Application Security

SQL injection in 2013. In a Linux community forum. The vulnerability will not die until you test for it.

Our <a href="/penetration-testing/web-application">web application testing</a> finds the SQL injections. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched platforms. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day critical patching.

Commission a Web App Test Next: Vodafone Germany Insider
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2015

Anatomy of a Breach: TalkTalk — The SQL Injection Heard Around the UK

Breach #082. On 21 October 2015, TalkTalk disclosed a 'significant and sustained' cyberattack that compromised the personal data of approximately 157,000 customers — including 15,656 bank account numbers and sort codes. The attack exploited a SQL injection vulnerability in a legacy web application that TalkTalk had acquired through its purchase of Tiscali. CEO Dido Harding appeared on live television unable to confirm whether the data was encrypted. A 15-year-old and a 16-year-old were among those arrested. The ICO fined TalkTalk £400,000 — and the breach became the UK's defining cybersecurity incident of 2015.

data-breach talktalk
14 min read
Anatomy of a Breach 31 December 2012

Anatomy of a Breach: 2012 Year in Review — The Year of Credential Mega-Breaches and Destructive Attacks

Breach #048 and the 2012 finale. The year that saw LinkedIn lose 117 million credentials, the credential dump summer expose 160 million accounts, Saudi Aramco's 30,000 workstations wiped by Shamoon, Flame revealed as the most complex espionage tool ever built, Nortel's decade of Chinese espionage exposed, and UK ICO fines surpass £4 million. Plus Zappos showing how to handle a breach correctly while everyone else was getting it wrong.

data-breach year-in-review
14 min read
Anatomy of a Breach 31 July 2012

Anatomy of a Breach: The Credential Dump Summer — Last.fm, eHarmony, and Yahoo Voices

Breach #043. The summer of 2012 saw a wave of credential breaches that exposed tens of millions of accounts: Last.fm (43 million), eHarmony (1.5 million), Yahoo Voices (450,000 in plaintext), and Formspring (420,000). The breaches shared a common theme — weak or absent password hashing — and collectively demonstrated that the internet's credential infrastructure was fundamentally broken. The credential dump summer established that breach-driven credential stuffing would define the threat landscape for the rest of the decade.

data-breach lastfm
12 min read
All Posts Get in Touch