Macrumors Forums Breach Exposes 860,000 Accounts
A popular Mac news website, MacRumors, reported that their forums were compromised on Tuesday. The attack led to the exposure of some 860,000 accounts, and is said to be similar to the one that took place on the Ubuntu forums earlier this summer.
Wed, November 13, 2013
CSO — A popular Mac news website, MacRumors, reported that their forums were compromised on Tuesday. The attack led to the exposure of some 860,000 accounts, and is said to be similar to the one that took place on the Ubuntu forums earlier this summer.
In a statement to users, Arnold Kim, the Editorial Director for MacRumors.com, said that the breach appeared to be similar to the one that happened on the Ubuntu Forums in late July. However, he explained, administrators detected the breach as it was happening.
"Yesterday, we were hacked. We detected it relatively quickly, but are still going through the logs with a 3rd party security company," Kim said in a statement.
"We restored the forum from backups from before the incident. I'll fill you in more as we get more information back, as it's still early. But it's safest to assume at least part of the user table was taken, which means usernames, email addresses, and hashed passwords."
As mentioned, the MacRumors breach appears to be similar to the one suffered by the Ubuntu forums in late July. In both cases, an attacker compromised a moderator's account, and used that access to gain additional permissions, allowing them to target the user table. What isn't known, or at least what wasn't made public by MacRumors, is how the privilege elevation happened in their situation.
During the Ubuntu incident, the attacker used Cross-Site Scripting (XSS) in order to gain access to an administrators account. They were able to do so by using the compromised moderator credentials to create an announcement with embedded XSS code, and steal an administrator's credentials. As an administrator, the attacker was able to use the hook feature available to administrators in vBulletin (the forum platform used by Ubuntu and MacRumors) to execute PHP code, which finalized the attack.
"The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the user table to a file on disk which they then downloaded," Canonical explained at the time.