The Hacker News Logo
Subscribe to Newsletter

Exclusive - openSUSE Forum Hacked; 79500 Users Data Compromised

After Snapchat hack, this can be another worst data breach of the new year. A Pakistani hacker 'H4x0r HuSsY' has successfully compromised the official Forum of 'openSUSE', a Linux distro developed, sponsored & supported by SUSE.
The hacker managed to deface the Forum and uploaded its custom message page as shown and account information of 79,500 registered users' may have been compromised. (The forum was defaced at the time of writing - Check Here)

The popular website MacRumors's Forum was compromised in last November using an alleged zero day exploit, which is based on vBulletin, a famous forum software. The openSUSE Forum is also based upon vBulletin.

Another interesting fact is that openSUSE is still using vBulletin 4.2.1, which is vulnerable to inject rogue administrator accounts flaw. Whereas, the latest patched vBulletin 5.0.5 is available. Possibly, Hacker exploits same or another known vBulletin version 4.2.1 vulnerability to access the website's administrative panel.
Exclusive - openSUSE Forum Hacked; 79,500 User Data May Be Compromised
Zone-H Mirror of the defaced page: http://zone-h.org/mirror/id/21473823

It seems that openSUSE team is even not aware about the data breach, but we have informed them and also trying to contact the hacker for further information on this.

Update (7:00 PM Tuesday, January 7, 2014 GMT): The Pakistani Hacker confirmed is that has uploaded a PHP shell on the forum server using his own Private vBulletin's zero-day exploit, that allows him to browse, read or write/overwrite any file on the Forum server without root privileges.

There are a few screenshots shared by hacker with us:
openSUSE Forum Hacked
openSUSE Forum Hacked

openSUSE Forum Hacked
He also claimed to have the full access to the user's database, however he has promised not to disclose the database dump because the purpose of the hack is only to highlight the security weakness.

Another important claim by the hacker that vBulletin 5.0.5 latest version is also vulnerable to his zero-day exploit and there is no patch yet available to fix it. He noticed that after our news report, the Server administrator has removed the defaced page, but to proof his exploit he has uploaded another file on the server again:
openSUSE Forum Hacked
There are thousands of Forums using vBulletin software and many of them are huge huge.. Well hacker has not shared any information about the vulnerability, but we are sure that official vBulletin team will consider this critical threat to fix with high priority.

Update (7:24 PM Tuesday, January 7, 2014 GMT): openSUSE team has informed the users' via tweets about the breach,"Warning: Our forums are down because they were defaced. We're currently investigating what exactly has happened."
But they have mentioned that, "Rest assured, no user credentials have been leaked as we use a single sign on system for our services. Note that we use SSO so we don't think we lost any account data."
openSUSE Forum Hacked
After openSUSE's tweet, the hacker has shared some sample database screenshots on his Facebook account to prove the database hack. We have partially blur the screenshot before sharing, to keep sensitive data secure, as shown above.

Update (4:00 AM Wednesday, January 8, 2014 GMT): In a blog post, openSUSE team confirmed that their website and database have been hacked, but users' passwords are not compromised.
A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database.
The team explained, they are using single-sign-on system (Access Manager from NetIQ) that manage the real passwords.
Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.