Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
Lets assume they closed the hole completely. Your behavior should not be any different than if it was left open. So long as new exploits can and will be found, it is worth taking the same precautions you would anywhere.
Mainly, use a password manager, and generate unique passwords for each site, so an exploit in one only affects that account.
They logged into a moderator account, and escalated by posting an HTML announcement (it was a non-obvious setting).
1. All admin/mod passwords have been changed and will be forced rotated. Password managers used
2. HTML Announcements turned off for everyone (even admins)
So, those steps alone should plug the actual exploit that was used. But we've also done a lot more than just that, and are still working on more to improve security.
arn
Hello Arn,
Does it appear that the Vbulletin people will be doing anything to update/modify the passwd encryption/hashing methodology within their product?
If the answer is no, are you/MacRumors considering looking into Joomla or Drupal or some other product similar to Vbulletin?
Thank you for keeping this great forum up and operational.
Does it appear that the Vbulletin people will be doing anything to update/modify the passwd encryption/hashing methodology within their product?
If the answer is no, are you/MacRumors considering looking into Joomla or Drupal or some other product similar to Vbulletin?
Thank you for keeping this great forum up and operational.
vBulletin 3.x is not in active development anymore, so it's unlikely that vBulletin will change out the hashing. They may change out hashing in the latest vBulletin 5.x branch, but that doesn't help us.
It is feasible to change out the hashing for vB 3, but it requires changes to core vB 3 files, and a lot of testing. It's something we are seriously looking into.
Drupal and Joomla aren't really vBulletin replacements. There is other forum software out there, but I don't think they are a good fit yet. I do expect we will eventually upgrade to not-vBulletin, but there isn't a good upgrade option at this time.
arn
As I mentioned in an earlier post in this thread, a photography site in which I hang out has decided to make the leap from vB to something else.....and a few days ago they finally did just that. They also went to a new server for greater capacity and such, too. The changeover did not take nearly as long as had been anticipated. They'd been telling us it would be as long as five or six days, maybe even over a week, and yet everything was up and running in about three or four days if I recall correctly.
From what I have seen so far of the new software they are using, XenForo, it looks pretty good and seems to be very user-friendly. It's early days yet, of course, so if there are any major problems they have not yet cropped up. Users of the site seem pleased and so do the admins and mods as they have been working "under the hood" to make various adjustments if indicated. However, I do realize that while the other site is a busy and active one, it is nowhere near as large as MacRumors and of course this may be a consideration when it comes to choosing new forum software. I think there is a fair amount of flexibility built into the XenForo software but it may not be flexible in all the ways that are needed by MR.
Whatever, just my little update on how that change is working out for another forum that prior to this had been using vBulletin.
From what I have seen so far of the new software they are using, XenForo, it looks pretty good and seems to be very user-friendly. It's early days yet, of course, so if there are any major problems they have not yet cropped up. Users of the site seem pleased and so do the admins and mods as they have been working "under the hood" to make various adjustments if indicated. However, I do realize that while the other site is a busy and active one, it is nowhere near as large as MacRumors and of course this may be a consideration when it comes to choosing new forum software. I think there is a fair amount of flexibility built into the XenForo software but it may not be flexible in all the ways that are needed by MR.
Whatever, just my little update on how that change is working out for another forum that prior to this had been using vBulletin.
I wouldn't recommend XenForo just yet until they patch up some of the vulnerabilities with RHEL cross-site scripting.
There are some security issues that they need to patch.
Furthermore, a large forum like Macrumors would not be easy to convert to XenForo. Not something you just do in a few days.
AV Forums have just moved over to Xenforo, so it's not impossible, albeit not trivial either.
Yes its possible but it won't be easy, it all depends on the tools they supply for converting over. The amount of customizations that are applied - a generic implementation of Vbulletin is easier to convert then one that has a lot of specialized coding.
Even perfect security on websites won't stop password theft if malware can make it onto a user's workstation and log keystrokes.
From CNN: Two million passwords stolen via keylogger.
From CNN: Two million passwords stolen via keylogger.
Yes and AV Forums has been ruined.
Xenforo is definitely not the way to go, the only other platform i have come across that can compete with vbulletin is something called IP.Board.
It is amazing this thread is still going.
It has already served is purpose long ago.
The bottom line is that anything can be hacked, it is just a matter of time; and we have to all be careful and ever vigilant.
Other security theories and matters would reasonably belong in their own appropriate threads.
----------
I use a free open source platform and it works great with appropriate security measures.
It is called MyBB http://www.infamousdevelopers.com
But, even with all I have done I know that I have to be active, otherwise it like any other platform can be over run.
It has already served is purpose long ago.
The bottom line is that anything can be hacked, it is just a matter of time; and we have to all be careful and ever vigilant.
Other security theories and matters would reasonably belong in their own appropriate threads.
----------
I use a free open source platform and it works great with appropriate security measures.
It is called MyBB http://www.infamousdevelopers.com
But, even with all I have done I know that I have to be active, otherwise it like any other platform can be over run.
There's a lot of forum software packages out there. MyBB, XenForo, vBulletin (vB3, which this forum is based on I believe is End Of Life), Invision Power etc.
Yeah, MR uses vB3, but while it's old (and pretty much unsupported), all bugs and security issues has been ironed out - I guess it's more secure than vB4 and vB5.
Remember, this hack wasn't because of an exploit, but a moderator's weak password - no system can be stronger than the weakest link (in this case, a moderator with a weak password).
+ MR probably uses tons of custom plugins which would not work in newer vB-versions, and would have to be re-coded (also the case if they changed to XenForo/whatever).
vBulletin, Internet Brands- yuck. I didn't like working for them.
But yeah, passwords are a great thing hehe
Actually the thread was dead for over half a month before you just revived it. Thanks brah.