LWN.net Logo

Ubuntu's forums return

Canonical has announced the return of the Ubuntu forums to normal service; there is also a detailed description of how the system was compromised. "In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software. There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings." It all started with a cross-site scripting attack.
(Log in to post comments)

Ubuntu's forums return

Posted Jul 31, 2013 16:31 UTC (Wed) by Cato (subscriber, #7643) [Link]

One crucial missing action from that blog posting: converting all stored password hashes from the grossly insecure MD5(MD5(password)), with some salt, to a storage format such as bcrypt, scrypt or PBKDF2 that is not susceptible to password cracking at billions of guesses per second with suitable GPU hardware.

In other words - they've missed out the single factor that will have caused some people to have their accounts hacked on other sites. I wonder if they are going to do anything about this.

Ubuntu's forums return

Posted Jul 31, 2013 17:03 UTC (Wed) by pixelpapst (guest, #55301) [Link]

Well, if I understood correctly, it's not possible to log in to the forums by password anymore. They've gone fully SSO, like the rest of Canonical's web-based services. AFAIR the code to canonical-identity-provider (which runs login.ubuntu.com) has been doing proper salted storage since forever. That the forum's database still stores a bunch of randomized strings in the password column should be completely irrelevant.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds