vBulletin 0-Day Exploit Exposes User Info

[sebastianosmith]

This Arstechnica article indicates that there may be a newly-discovered zero-day vulnerability in vBulletin v4 and v5 which allows an attacker to fully expose account IDs, password hashes and possibly the entire database.

Normally, this would not concern me beyond the low probability of being e-mail spammed. However, since game and forum accounts are linked, the possibility of certain types of user information being exposed is unsettling.

Is Turbine aware of this and what steps, if any, have been taken to avoid user data being compromised?

[Vellrad]

Is Turbine aware of this and what steps, if any, have been taken to avoid user data being compromised?

Thanks for good laughs.

[whereispowderedsilve]

Bump for Tolero/Cordovan or management @ Turbine or WB to take notice of!

[enochiancub]

Considering some of the scumbags who frequent these boards thats actually mildly worrisome.

[Antheal]

Two words:

Offer Wall.

Remember that, and how that turned out? Turbine is probably fully aware of this issue and they just don't care. Again, just like with the Offer Wall.

[Tscheuss]

This is not a happy thing. Can we get a Read by XXXX or something?

[Tolero]

Turbine’s web devs track developments on this kind of news closely and they are always looking for ways to improve our sites on that front. Our implementation of vBulletin is highly customized and follows good security practices. A key part of this customization is that we do not store any personally identifiable information in the vBulletin database. Sensitive information, including account passwords, are handled by an entirely separate system. All authentication is handled by this separate system, and not via the forums software. While no software is 100% secure, we believe that we've taken the appropriate steps to protect your account information.

[Missing_Minds]

we believe that we've taken the appropriate steps to protect your account information.

When have we heard that one before...

[Eth]

Turbine’s web devs track developments on this kind of news closely and they are always looking for ways to improve our sites on that front. Our implementation of vBulletin is highly customized and follows good security practices. A key part of this customization is that we do not store any personally identifiable information in the vBulletin database. Sensitive information, including account passwords, are handled by an entirely separate system. All authentication is handled by this separate system, and not via the forums software. While no software is 100% secure, we believe that we've taken the appropriate steps to protect your account information.

Hopefully your Forum Log-In site is not linked to vBulletin either...

[sebastianosmith]

Turbine’s web devs track developments on this kind of news closely and they are always looking for ways to improve our sites on that front. Our implementation of vBulletin is highly customized and follows good security practices. A key part of this customization is that we do not store any personally identifiable information in the vBulletin database. Sensitive information, including account passwords, are handled by an entirely separate system. All authentication is handled by this separate system, and not via the forums software. While no software is 100% secure, we believe that we've taken the appropriate steps to protect your account information.

Hey Tolero,

Thank you for the feedback. I realize the forum and game share a common authentication server which is not part of vBulletin. My main concern was a quote in the article from Inject0r Team, specifically "We got shell, database and root server". I don't know how gaining root access through vBulletin might play out in an Linux/Nginx/VM environment because frankly my knowledge of that area is limited. But, as you say, nothing is 100% secure.

Thank you again for addressing these concerns.