Weekly Edition
Return to the Security page
| |||||||||||||
Ubuntu's forums return
Canonical has announced
the return of the Ubuntu forums to normal service; there is also a detailed
description of how the system was compromised. "In summary, the root
cause was a combination of a compromised individual account and the
configuration settings in vBulletin, the Forums application software.
There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu
services. We have repaired and hardened the Ubuntu Forums, and as the
problematic settings are the default behaviour in vBulletin, we are working
with vBulletin staff to change and/or better document these
settings." It all started with a cross-site scripting attack.
(Log in to post comments)
Ubuntu's forums return Posted Jul 31, 2013 16:31 UTC (Wed) by Cato (subscriber, #7643) [Link]
One crucial missing action from that blog posting: converting all stored password hashes from the grossly insecure MD5(MD5(password)), with some salt, to a storage format such as bcrypt, scrypt or PBKDF2 that is not susceptible to password cracking at billions of guesses per second with suitable GPU hardware.
In other words - they've missed out the single factor that will have caused some people to have their accounts hacked on other sites. I wonder if they are going to do anything about this.
Ubuntu's forums return Posted Jul 31, 2013 17:03 UTC (Wed) by pixelpapst (guest, #55301) [Link]
Well, if I understood correctly, it's not possible to log in to the forums by password anymore. They've gone fully SSO, like the rest of Canonical's web-based services. AFAIR the code to canonical-identity-provider (which runs login.ubuntu.com) has been doing proper salted storage since forever. That the forum's database still stores a bunch of randomized strings in the password column should be completely irrelevant.
|
|||||||||||||