READ AND CHANGE PASSWORDS - Security warning

Discussion in 'Announcements' started by x3sphere, Mar 18, 2012.

  1. x3sphere

    x3sphere Administrator Staff Member

    Joined:
    May 17, 2006
    Messages:
    14,693
    Likes Received:
    129
    Last played:
    Sunset Overdrive on Xbox One
    From March 4 to the 14th, an attacker used an injection flaw in vBulletin to capture login requests from the forums. While we've since located and fixed and issue (no thanks to vBulletin...), several passwords were taken in plaintext as the malware was injected into the login form itself. Therefore, it is recommended to change your passwords immediately, especially if you are using your eXophase.com password for any other services.

    We've been investigating this since last week and wanted to make sure other areas of the site were not compromised before going public.
     
  2. slicer4ever

    slicer4ever Coding random shit

    Joined:
    Nov 17, 2008
    Messages:
    1,444
    Likes Received:
    3
    Last played:
    Destiny on Xbox One
    i'm assuming this had to do with the recent outage as well?

    also, wasn't the forum suppose to be changed over to XenForo at one point?
     
  3. x3sphere

    x3sphere Administrator Staff Member

    Joined:
    May 17, 2006
    Messages:
    14,693
    Likes Received:
    129
    Last played:
    Sunset Overdrive on Xbox One
    Yup it was, it we'd switched sooner this would've never happened. Going to try and make the switch happen by next month. vB has really pissed me off. A lot of forums are vulnerable to this and vB has done nothing.

    The outage was related though it wasn't supposed to be that long... ran into an unexpected problem but it was fixed.
     
  4. Seth

    Seth MD Party Room

    Joined:
    Oct 17, 2008
    Messages:
    2,863
    Likes Received:
    1
    Last played:
    Sunset Overdrive on Xbox One
    Shouldn't this be one of those force reset and not just a from post.
     
  5. x3sphere

    x3sphere Administrator Staff Member

    Joined:
    May 17, 2006
    Messages:
    14,693
    Likes Received:
    129
    Last played:
    Sunset Overdrive on Xbox One
    There doesn't seem to be a way to just force everyone to reset, I'd have to code it myself. An email will be going out soon...
     
  6. Darkchild

    Darkchild The Doctor

    Joined:
    Apr 1, 2007
    Messages:
    3,193
    Likes Received:
    62
    Last played:
    The Last of Us™ on PS3
    Found something interesting about this name "Xenforo"


    From Wikipedia :

    XenForo is a commercial Internet forum software written in the PHP programming language using the Zend Framework. The software is developed by a team led by former vBulletin lead developers Kier Darby and Mike Sullivan. The first public beta release of XenForo was released in October 2010. XenForo 1.0.0 Stable has been released on March 8, 2011 [1]
     
  7. madsoul

    madsoul Member

    Joined:
    Oct 16, 2008
    Messages:
    819
    Likes Received:
    0
    Hmm... Got a password recovery request from Gameloft yesterday that I had not requested. I havent touched the Gameloft Live service for many many months so it seems like it could have something to do with this? I might have had the same login there... Glad I have something more complicated for gmail itself heh. Scary as allways.
     
  8. MenaceInc

    MenaceInc Staff Member Staff Member

    Joined:
    Mar 1, 2007
    Messages:
    4,508
    Likes Received:
    43
    Last played:
    Counter-Strike: Global Offensive on Steam
    I've said it before and I'll say it again. Use KeePass people and set a different password for each website.
     
  9. MartinObviously

    MartinObviously I'm Obviously just Martin

    Joined:
    Feb 7, 2010
    Messages:
    45
    Likes Received:
    0
    This is one of the few sites I have different passwords for! lol probably just as well.
     
  10. El Xando

    El Xando "Dam whippersnapper"

    Joined:
    Oct 20, 2008
    Messages:
    1,253
    Likes Received:
    2
    Last played:
    Halo 2 (PC) on Games for Windows Live
    I like how you posted this after I asked :p
    I have downloaded it, set it up so it needs a master password and file, and am generating 20 character passwords :)
     
  11. Trigun

    Trigun That guy, who Records Music.

    Joined:
    Oct 20, 2008
    Messages:
    1,315
    Likes Received:
    3
    Would it matter if we are set to auto-login??
     
  12. x3sphere

    x3sphere Administrator Staff Member

    Joined:
    May 17, 2006
    Messages:
    14,693
    Likes Received:
    129
    Last played:
    Sunset Overdrive on Xbox One
    Yes, anyone that visited the forum from 4-14 is at risk.
     
  13. Trigun

    Trigun That guy, who Records Music.

    Joined:
    Oct 20, 2008
    Messages:
    1,315
    Likes Received:
    3
    Alright, i'll change it. Thanks for the heads up man
     
  14. MartinObviously

    MartinObviously I'm Obviously just Martin

    Joined:
    Feb 7, 2010
    Messages:
    45
    Likes Received:
    0
    What version of Vbulletin is used here? I'm registered to a forum elsewhere using Vbulletin also and I would like to know if it could ever be put at risk should it be targeted.
     
  15. x3sphere

    x3sphere Administrator Staff Member

    Joined:
    May 17, 2006
    Messages:
    14,693
    Likes Received:
    129
    Last played:
    Sunset Overdrive on Xbox One
    4.0.5. We haven't even updated it since believe it or not new versions seem to introduce new exploits. But the exploit that hit us affects all versions, vBulletin doesn't block corrupt images from being uploaded, so someone can tack on server side code to an avatar for instance.

    A quick fix is either disable uploading of images or whitelist filetypes on any image directory.

    Frankly, I don't trust vB at all at this point so uploads of any kind can't be done on the forum anymore.
     
  16. HerpDerp

    HerpDerp Wubwubwub

    Joined:
    Aug 23, 2011
    Messages:
    16
    Likes Received:
    0
    Well, that's peachy..
     
  17. MenaceInc

    MenaceInc Staff Member Staff Member

    Joined:
    Mar 1, 2007
    Messages:
    4,508
    Likes Received:
    43
    Last played:
    Counter-Strike: Global Offensive on Steam
    We're stuck with our current avatars then? D:
     
  18. MartinObviously

    MartinObviously I'm Obviously just Martin

    Joined:
    Feb 7, 2010
    Messages:
    45
    Likes Received:
    0
    fanx for dat x3spear :3
     
  19. x3sphere

    x3sphere Administrator Staff Member

    Joined:
    May 17, 2006
    Messages:
    14,693
    Likes Received:
    129
    Last played:
    Sunset Overdrive on Xbox One
    You should still be able to change it. Upload to an external host then use the URL directly in the edit avatar field.
     
  20. eldiablov

    eldiablov Contributor

    Joined:
    Oct 17, 2008
    Messages:
    2,161
    Likes Received:
    5

Share This Page