Over half of the Comodo Forum users ‘ account information has been robbed and is now traded online. The violation was made possible by exploiting a weakness in the forum’s software.
Comodo released a safety notice today informing customers that an intruder might have access to the database of the forums.
“A fresh vulnerability has been created public lately in vBulletin software, one of the most common internet comments server apps, including the Comodo Forums.”
The bug in vBulletin is critical and simple to use. Details were made public a week earlier but three years earlier exploit brokers were aware of this.
Since code exploit has been released, attackers have begun to pound vBulletin powered forums. One botnet even secure the servers by altering the sensitive code, so that the execution of a command requires a password.
Comodo notifies users of its forum
According to the Comodo statement, an intruder exploited the vBulletin safety defect on Sunday at 04:57 AM EST and their action was “an early-stage inquiry into future information breaches at the Comodo Forums.”
The Comodo Forum is driven by Simple Machine Forum open source software but vBulletin is used on a separate board devoted with far fewer employees for product updates and debates. The ITarian forum has 45,300 users and is available on vBulletin, also by Comodo. Similar announcement and the same suggestions were released.
“User accounts on the forums contain information such as username, name, e-mail address, last IP used to access the forums and if used, potentially some social media usernames in very limited situations.” – Comodo
The notice states that all passwords have been stored in encrypted form, but forum users are advised to alter them as a safe measure.
Complete the blanks
On a website where customers exchange and sell databases of events of failure or leakage, someone provided a dump with at least the password, email and user name of more than 170,000 clients in the Comodo Forum. According to Comodo, around 245,000 registered users are in their forums.
Specifically, the individual publicity in the database suggests that the dump is on Comodo’s website, running on Simple Machines Forum (SMF) and that the information has been fresh on 29 September. They also claim that passwords are hacked using MD5, which is not only very susceptible, but also very simple to break down and discover the initial hash string.
We got a data base sample and could check that it was real. Most of the customers in it were non-active Comodo Forums, but one of them is an active user and confirmed our email address as being theirs and used on the forum.
Although the complete range of user information in the database is not clear, the sample seen as follows:
- IP address of the last login
- password and its salt
- provided birth date
- security question
- hashed security answer
- registration date
- messenger usernames
- total time logged in
Some of the data was only available to the customers.
BleepingComputer contacted Comodo to clarify the violated forum. When we have the fresh data, we will update the post.
Update[ 10.01.2019]: A more familiar person told that an earlier violation of the vBulletin vulnerability happened on the ITarian forum. The attacker somehow managed to access the SMF-compatible forum of Comodo-one hypothesis is that they used robbed credentials.