Some 35,000 websites including those run by fortune 1000 companies that use proprietary internet message board vBulletin have been hacked via a dangerous flaw in the software.
Security experts criticised the company for not adequately informing customers. Many of the affected sites had malware foisted on their sites which could infect visitors and were enslaved by botnets.
Attackers had gained administrative rights on affected sites by using simple tools created by hackers that made breaching vBulletin sites as simple as clicking a button, researchers found.
Users reported on vBulletin forums that hundreds of sites were being hacked on 5 September yet the company had still not disclosed the root cause of the vulnerability.
A tech support lead said users should delete the “4.X - /install/” and “5.X - /core/install” install directories.
Imperva security strategy director Barry Shteiman said attackers could gain admin access by sending a 'message' to a vBulletin website.
“The vulnerability [we] found allows any attacker, even a simple attacker, to send a message to a vBulletin website and the effect of that attack is that the website now has a new admin account,” Shteiman told SC.
“You can't get higher than admin on any system."
The hack tools created administrator accounts named Th3H4ck and supportvb. Some 5000 of the 35,000 affected sites contained the surreptitious supportvb username which was loaded using a tool created by hacker @docindetectable).
Vulnerable sites could be found using Google searches for certain vBulletin identifiers.
“If you're using third-party software that you haven't written in-house, make sure you constantly check for updates and security issues,” Shteiman said, adding this application security problem is not being addressed with the sense of urgency it deserves.
“I expect a vendor to come out and tell its customers, 'We have a major vulnerability.'”
- With Darren Pauli