Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums Downtime - Security Issue
- Thread starter arn
- Start date
- Sort by reaction score
I use an alias only on this site that I created on one of my iCloud accounts. I can delete it at any time.
I run a few vB forums so I was interested in hearing why this forum went down. Without knowing what happened, I actually started searching Google for Macrumors hacked just to see if that was what happened.
Good job getting the forum back and running. I'm sure you're tired. If there's anything I can do to help, let me know!
That what happens when you still working on a software (vB 3) that got to its EOL few years ago. It's a time for a change, as painful as it would be. With all the social media (Facebook/Twitter) and mobile designs, vB3 is not good anymore and keeps potential traffic out of this website (= loss of money).
SHA-2 isn't the fix for MD5. Bcrypt is
SHA-256 or SHA-512 are also 'ok' options for a few years, but give it 10 years and they'll be easy to crack.
Does this mean the forum software had not been updated for quite some time? If Ubuntu knew about it months ago was working with vBulletin on a resolution?
I hate to get all preachy but outdated forum/CMS software is the number one cause for these types of things...
I hate to get all preachy but outdated forum/CMS software is the number one cause for these types of things...
Just a question...But WHAT happened to the mobile interface? It looks totally messed up! Please tell me that it WILL be fixed!
Based on what Arn mentioned, it was a moderator account that was compromised which lead to the attacks. To the best of my knowledge it wasn't the forum software that was originally compromised.
I just checked it on my iPhone and it looks okay to me. What are you seeing, can you post a screenshot?
This needs to be at the top of every page.
I just changed a bunch or crucial passwords, but members deserve to know this BEFORE they read about Sapphire Glass Production
I just changed a bunch or crucial passwords, but members deserve to know this BEFORE they read about Sapphire Glass Production
You can reverse MD5-hashed strings? That's news to me, and I can't see anywhere else saying it. You have any info/article to explain it? Hashes fascinate me.
No, that's not really possible, as
1 - there caan be more than one string giving the same MD5
2 - it was designed to be hard to "reverse"
The goal of the MD5 and its family of hashing functions is
- to get short "extracts" from long string
- to make it hard to guess where they come from
- to make it hard to find collisions, that is other words having the same hash (which is a very similar exigence as the second one)
Think that you can get the MD5 of any string, even very long... And the MD5 is only 16 bytes long (32 if you write it in hexa to store or distribute it more easily). If you could reverse them, you'd have a magical compacting scheme.
This being said, as there aren't so many short strings (passwords...) used in the world, you can test them from a dictionary (that's called "brute force attack") or even google for your MD5. If the word is common and wasn't salted, you have a reasonable chance to succeed..
#MD5rainbow_fail
The manner in which vBulletin stores passwords is common knowledge and he didn't reveal anything the hackers don't already know.
vB's hashing is actually more like md5(md5(password) + salt)) so it's double hashed, for whatever that's worth. And TBH, unless you did something stupid and used an easy password, they're not going to be able to reverse it. MD5 is still a one way hash, it's only reversible because of rainbow tables - basically a giant table of common passwords (dictionary words, 1234567890, etc) and their hash, so given a hash, you can look up the corresponding value. If you're smart and used a good password, it won't be in the rainbow table.
Last edited:
I was so bored on my commute yesterday. These forums have let me live vicariously through others until I get my rMBP and having neither the forums OR a computer made me resort to refreshing anandtech's page all day.
Glad MR is back up!
Glad MR is back up!
1. True but giving one of the many options would be helpful
2. Designs don't always work as intended
He seemed to claim that it is now reversible, and also claimed that he was a security professional, so I'm keen to hear what he says about it.
You can't reverse md5 hashes. You can compare hashes using a database of strings that have been hashed, nothing more. That happens because we are not talking about an encryption method, which lets you reverse back to the original input. Being a hash, it is impossible to reverse it to get the original input.
The salt is safe, and the attacker has no access to it, unless shell access was stolen.
As I said, the salt is saved in a dedicated script page, which is not accessible from the forum software without perhaps an administrator account. The attacker got a moderator account, so no access to the salt.
While collisions in hashes exist, it is too much of a claim stating that one's salted, hashed password can be reversed.
Or prove me wrong, and reverse this: afcf61651e158e5f92e44965f7f80729
The string gets hashed and salted multiple times too, so your example is way too semplicistic.
Reading through this thread, I'd like once again to thank Arn and those he had helping him for their hard work on dealing with this. I wasn't part of the rescue operation, but I followed a bit from the sidelines and understood that it was a case of a few people putting everything else they had going on, on hold to take care of things as quickly as possible.
Did the hacker using moderator privileges get to do some banning or un-banning of users? Curious here....
Reverse is probably the wrong word - more like you can match it. A simple bruit force attack on a md5 hash will allow you to find a matching reversal. Given that these strings are salted you've got a slightly better chance of the match not being your actual password though.
An example of this being used would be in the large rainbow tables that have billions of records. These often contain a lot of passwords and the matching hashes. Obviously it's a lot less likely that their database of hashes/matches will contain password+salt however.
A lot of the MD5 tables have a 99.9% success rate - if you take a look here, you'll see them all available for public download: http://project-rainbowcrack.com/table.htm
Some online sites use these lists along with their own, and when you enter a hash will first check if its already been matched, and if it hasn't it adds it to the queue for matching.
I started trying to reverse the one I listed in my post yesterday (6ff01f01a2b090ce34acf1fbc28d04cd) at cmd5.org and it's currently showing as 11% complete - bearing in mind that's likely running multiple hash matches at once, and its only been about 6 hours. It'll have a match within 48 hours. It'll be interesting to see if it actually gets the 'real' password as a match, or a random string.
In any case - have a read here: http://codahale.com/how-to-safely-store-a-password/
----------
DOB's are stored along with your basic user details - so yes. They'll have:
- DOB
- Hashed/Salted password
- Salt string
- IP / Hostname
- etc
Basically anything in your user profile - they have now got.
----------
Ditto - it's got to have been a crap 24 hours for Arn. Good luck in sorting it all out.
Last edited:
Umm.. my old password was something like %not#inTere$t1ng. Good luck reversing it's md5 with rainbow tables. ETA 92,000 years. Countdown started.
Unless your password is hellokitty, chances are it's not reversible; salting is just a " let's make it even harder ".
I think we're making a big fuss out of it. Users should be secure but requesting to change their passwords is an extra security measure.
Bear in mind that even if you dump the whole database, passwords remain safe. Shell access is a different story.
Well, this isn't good.
My recommendation: MacRumors badly needs to update the software version of the forums. Even if the UI remains mostly the same, security should be #1 priority. And even if this exploit was not caused by outdated software, this is a good time to bring up the possibility of old software being hacked, which is a very real possibility.
Anyway, thanks to the MR team (especially Arn) for getting things up and running again.
My recommendation: MacRumors badly needs to update the software version of the forums. Even if the UI remains mostly the same, security should be #1 priority. And even if this exploit was not caused by outdated software, this is a good time to bring up the possibility of old software being hacked, which is a very real possibility.
Anyway, thanks to the MR team (especially Arn) for getting things up and running again.