Forum Security: How forums are hacked

Discussion in 'Security and Legal' started by djbaxter, Jul 23, 2013.

  1. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    I know that when your forum has been hacked you feel angry, furious,violated, enraged, and the first thing any of us do is look for someone or something to blame for what just happened. Of late, I see a lot of people blaming the software, with vBulletin and vBSEO coming in for more than their share. I have argued previously that in most of the cases I have seen the problem is not the software (although some of them have been from running outdated software with known vulnerabilities). More frequently, it is poor server security, inactive members with administrative access, or weak passwords.

    I received this in an email just now today from Simple Machines Forum (SMF). I'm reposting it as an alert to forum owners:

     
    Brandon, zappaDPJ and ProSportsForums like this.
  2. zappaDPJ

    zappaDPJ Regular Member

    Joined:
    May 27, 2013
    Messages:
    250
    Likes Received:
    165
    Location:
    London, England
    Thanks for the heads up. I didn't get the email nor did any of my staff. As I own or admin a number of large SMF sites, I'm not too happy about that. That's a pretty serious breach.
     
  3. Cerberus

    Cerberus Admin Talk Staff

    Joined:
    May 3, 2009
    Messages:
    1,031
    Likes Received:
    500
    If you do not want to be hacked do not use shit software. At this point the only forum software that is proactive if Xenforo. Anything else is reactive. Vbulletin is hacked much less now do to its popularity and the most hacked/exploited paid software now is IPB. They have daily zero day exploits. Also, any free software is an obvious target. So, you should really expect that from an open source forum software like SMF and the various others.

    I really put the blame on the admin/owners of the site for going cheap when building a site. How could you not spend the money to protect your investment of time. That is just silly in my mind.
     
  4. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,792
    Likes Received:
    270
    That's not fair because SMF have made a point of saying it wasn't the forum software fault for them getting hacked. Remember, servers can get hacked if not secure enough. I've seen people post on XenForo before that their forum got hacked, only to see members jump in blaming it on their server.

    Quote taken from that announcement posted on SMF

     
    djbaxter likes this.
  5. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    I agree. Most of the time, the software is not to blame, as was the case here. The vulnerability was with the humans using that software.
     
  6. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,792
    Likes Received:
    270
    Also, it seems other sites have been hacked using same (or similar) method - but different software. I'm a member on SMF, so my data was stolen in this.
     
    Last edited: Jul 24, 2013
    djbaxter likes this.
  7. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    And yet after that major breach they release this
    One can't help but think their reason for the breach, an inept admin, is a farce. Why would a "CRITICAL SECURITY PATCH" be required if that's all it was? They have been warned repeatedly over the years there were major holes in their software, by staff and members, which have been denied and member and staff ridiculed for fear mongering.
     
  8. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,792
    Likes Received:
    270
    Well that's obviously come later on "after the fact", and yes it does make it look then as though there may indeed of been a weakness that got hacked in the forum software. Does look a coincidence they should now release a security patch.

    But then again, you don't know if it is just a coincidence?
     
    djbaxter likes this.
  9. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    No I don't know that it is a coincidence. But it does appear very suspicious to me given their history. I've used SMF in various forms over 10+ years it hasn't been until 2.0 went gold that there seems to have been more security issues than before. But then it's like someone else said, you get what you pay for. One can't expect or demand quality or attention to detail when coders don't have a vested interest.
     
    Last edited: Aug 20, 2013

Share This Page