Ubuntu Linux Forums Hacked -- IP Address, Username, Email of 2M Accounts Compromised

Canonical announced on Friday that Ubuntu forums have been hacked. The company adds that data such as IP address, username, and email address of over two million users have been compromised. BetaNews reports: Keep in mind, this does not mean that the operating system has experienced a vulnerability or weakness. The only thing affected are the online forums that people use to discuss the OS. Still, such a hack is embarrassing as it happened due to Canonical's failure to install a patch.In a blog post, Jane Silber, Chief Executive Officer, Canonical said, "after some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched."

Too Bad They Used Linux

They should have used a BSD (preferably Open) for their host.

Oh well. Sucks to be them.

Re:Too Bad They Used Linux

[LichtSpektren]

The vulnerability was an SQL injection. The operating system had nothing to do with it.

Re:Too Bad They Used Linux

They should have used SQL Server instead of MySQL.

Re:Too Bad They Used Linux

[hideki.adam]

It has nothing to do with that either.

It's to do with inputs not being sanitized AGAIN at a guess. wouldn't matter which SQL it was if the code was written by a crack addicted monkey with no concept of security (which apparently it was)

Re:Too Bad They Used Linux

Ah yes, here comes the Linux apologists trying to deflect any blame from Teh Liuxxxx!!!!!!

Re:Too Bad They Used Linux

[CajunArson]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

Re:Too Bad They Used Linux

Looks like M$ is a contender in the race to the bottom.

Seriously though, management, through rehire/outsourcing methods, keeps pushing wages down. As the wages get lower the skills brought to the workplace are also going to suffer. This is basic COMMON SENSE. Though, lately, I am thinking I should call it UNcommon sense, as nobody seems to display it anymore.

Re:Too Bad They Used Linux

[perpenso]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

Don't be obtuse. "Linux" is most commonly used to refer to the complete server or desktop environment. When Linux fans are championing and encouraging people to switch their server or desktop to Linux they are referring to the entire environment not merely the kernel. Just as when Windows gets hacked and its something in the "software stack" and not the kernel itself, often something from a 3rd party not Microsoft. Matter of fact when the only "Linux" thing in an environment is the Linux kernel we tend not to call it "Linux" at all, for example Android. So don't start with this "Linux" only refers to the kernel nonsense, that is not how the word is used, and that includes within the Linux community.

Re:Too Bad They Used Linux

[AlphaBro]

The right sentiment, but not entirely true, actually. Some SQL injection bugs are only exploitable when a specific dialect of SQL is used under the hood. Some support query stacking (MSSQL), while others don't by default. Some allow for easy creation of files on the server's filesystem (MySQL), some don't. It's not exactly the norm, but also not uncommon for the behavior of a SQL dialect to mitigate a vulnerability. Not that one should rely on such behaviors for security, but it can assist. That's not to say this is a case where a different version of SQL would have helped, of course. I haven't looked at the details.

Re: Too Bad They Used Linux

It does lead to confusion though. It doesn't take a lot of giggling to see that.

Re:Too Bad They Used Linux

[LichtSpektren]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

SQL injections have nothing to do with the platform you're running them on. It's a result of sloppy programming. The same thing can happen on just about every OS and every SQL daemon.

You might have a point about Windows being unfairly maligned if it weren't for e.g. Internet Explorer being so thoroughly integrated into the OS that its vulnerabilities in the browser can be exploited even if the user doesn't use it.

Re:Too Bad They Used Linux

[LichtSpektren]

Ah yes, here comes the Linux apologists trying to deflect any blame from Teh Liuxxxx!!!!!!

That's a fair point, since Microsoft's products are totally immune to SQL injection -- oh wait, no they're not, you knob.

Re:Too Bad They Used Linux

Well, the operating system allowed the modification of key files. wooops.

Re: Too Bad They Used Linux

It does lead to confusion though. It doesn't take a lot of giggling to see that.

No, it leads to no confusion at all. People who understand what a kernel is understand the dual use of the word "linux" and easily figure it out from context. For those that don't know what a kernel is there is no problem there either since the context matches what everyone tells them, including the fanboys, that linux is a complete operating system that rivals Windows and Mac OSX.

But yeah, we do giggle at the fanboys who get all defensive when linux appears in a negative context.

Re:Too Bad They Used Linux

Well, the operating system allowed the modification of key files. wooops.

And Mac OS X does not allow modifications of system files and thus proves once again that it is the superior *nix environment. :-)

Re:Too Bad They Used Linux

But... but.... but.... Teh Mikr0sophtzzzz!!!!!!

That's all you Linux cunts know how to do when the truth comes out about your shit, right?

Keep sucking Linus' cock. He loves splooging in your mouth.

Re:Too Bad They Used Linux

You saw, or you were told?

Re: Too Bad They Used Linux

It's funny when the person behind this comment is probably sitting on the toilet at work taking a shit laughing at his comment, and will go back to his desk and open a terminal or Linux virtual machine n keep working checking his anonymous comment.

Re:Too Bad They Used Linux

Yeah. This ain't just the kernel getting a pass for semantic reasons. This is like saying that a bug in Photoshop is because Windoze is teh suck.

Re:Too Bad They Used Linux

[Bengie]

If you think sanitizing inputs protects against SQL injection, I have a bridge to sell you. You need to parameterize/prepare your inputs, which separates your commands from your data. If your inputs cannot change your commands, then all it well.

Re:Too Bad They Used Linux

[Bengie]

Nice link of how not to use MS SQL correctly. General rule of thumb, you can't fix stupid. They will always find a away to use tool incorrectly.

Re:Too Bad They Used Linux

What's it like siding with lazy, ignorant people who misuse words?

Re:Too Bad They Used Linux

The vulnerability was an SQL injection. The operating system had nothing to do with it.

I didn't read the article but the summary does not mention SQL injection. From the summary:
"... it happened due to Canonical's failure to install a patch."

Re:Too Bad They Used Linux

What's it like siding with lazy, ignorant people who misuse words?

Yes, lazy ignorant people like Linus Torvalds who have been referring to the operating system as Linux since the early 1990s.

online forums software can be hard to update

[Joe_Dragon]

online forums software can be hard to update if any mods / plug in's are in use.

Re:online forums software can be hard to update

Online anything that uses plugins.

We have a few Wordpress clients, and all of their environments are setup to auto-patch the core and plugins nightly.

But that doesn't help us when they go an install some plugin they found that doesn't ever get updates.

Re:online forums software can be hard to update

[dgatwood]

online forums software can be hard to update if any mods / plug in's are in use.

The thing is, you shouldn't need to update them. The biggest problem on the Internet today, IMO, is that so much of our user-facing infrastructure software was written before modern database access techniques, such as the use of parameterized queries.

In my personal life, the very first thing I do before I install any piece of client-facing software is audit the thing top to bottom, making sure every single SQL query uses parameterized queries, and rewriting it when I see them. If the software is too big for this to be practical, it doesn't get installed on my server—a lesson I learned the hard way after a PHPBB instance got vandalized anonymously. As a result, I now use a custom fork of JXBD that replaces every single query with parameterized versions (available on GitHub). It is small enough to be auditable, and as an added bonus, I was able to integrate it more cleanly with my existing login infrastructure.

If everyone would adopt that same level of caution, all this ancient cruft would get cleaned up pretty quickly, and folks wouldn't need to update their bulletin boards every few weeks to fix the latest SQL injection attack, because the BBSs' SQL access code would be secure by design. I would encourage Ubuntu to similarly systematically rework everything they run on their websites and then contribute fixes upstream so that everybody benefits from their effort.

Re:online forums software can be hard to update

[Qzukk]

The real problem is that if you google for a tutorial, half the tutorials out there were written before modern database access techniques and nobody ever takes them down, so new programmers become "educated stupid" (to borrow from the timecube guy).

Re:online forums software can be hard to update

[The-Ixian]

I had to search the Internet to know what a parameterized query is.

I am not a programmer but I have written some web applications in Perl.

Turns out, I have been using parameterized queries all along for my inserts and updates.

So, there you go, Internet documentation, at least for Perl's DBI appears to "educate smart"

Re:online forums software can be hard to update

True, but note that parametrized queries are not the panacea of safe SQL-ing. All is good with that until the driver has a bug and allows an injection. Happened with Drupal. Happened with some Java things. Don't know if it ever happened to PDO and PsycoPg.

Re:online forums software can be hard to update

Yes, Perl, Python and probably even Java. It is that piece of shit template-language and bad excuse for a programming-language-wannabe called PHP that caused this mess. So many PHP "tutorials" That just mysql_query("SELECT user_id WHERE username=$_POST['username'] AND password=$_POST['password']");

Re:online forums software can be hard to update

[dgatwood]

Certainly, but when those bugs are discovered, they typically get patched automatically as part of your normal OS update schedule, not as a specific patch to the web frontend (which often gets heavily customized for a particular site, and thus are messier to upgrade). And those bugs are hopefully rare.

As for Drupal, that's actually just another example of the problem I'm describing. A high-level CMS should not provide its own database drivers that construct SQL queries themselves. From a security perspective, IMO, that's really not significantly different from building SQL queries by string concatenation, except that the Drupal solution is cleaner and more general-purpose. It is still a user-facing web front end that is doing its own SQL construction when it could get that functionality almost for free by using code that the PHP core already provides.

IMO, Drupal should be working with various groups that provide the drivers that are built into PHP already, adding features as needed to support their requirements, with the goal of eventually removing their own drivers entirely. Every time you reinvent the wheel, you significantly increase the risk of adding bugs. More code requires more maintainers, and there are only so many people who care about improving SQL drivers. Thus, the more SQL drivers available for each SQL implementation, the lower quality each one will be. And if every large web service provided its own driver, you'd have hundreds of these things, each with its own bugs.

This really is one of those areas where less is more. I'll give Drupal a partial pass for now, because they were doing this back in a day when parameterized queries probably weren't supported in the PHP core. But in the long run, all that custom driver code needs to die and be replaced with one of the standard drivers. From a security perspective, that's the only approach that really makes sense.

Fantastic

[subk]

Love the metadata on the image they used in TFA.. "Hacker desk laptop hoodie hacking hooded". I guess a white dude with facial hair and a hoodie is automatically "hacking" if he has a laptop out.

Re:Fantastic

I agree. They should've used a nigguh because we know that only nigguhs and tacos can be gangstas. If a whitie does it then its legal, see Clinton as an example.

Re: Fantastic

Just make sure you use -uh of -ah on the suffix, then it's okay, I think? That means they're cool and our educated friends in society. Don't even think about the -er, oh god no, cause then uze bout to die muthafuckah, (see what I did there?). Even Asian dude baddass Jackie Chan couldn't pull this off successfully.

Re:Fantastic

Niggas steal laptops and sell them for crack they don't know how to use them, and tacos only know how to use facebook

Re:Fantastic

[KiloByte]

Crap, a hoodie! I knew I've forgotten something in order to be a real hacker!

Re:Fantastic

[antdude]

They should had used Mr. Robot's Elliot Alderson then. :P

I'm going to sue ...

[CaptainDork]

... those bastards.

On a related note, my lawyer wants to know what the terms, "ubuntu," and "linux," and "forum," mean.

Help here, please?

Re:I'm going to sue ...

[Errol+backfiring]

"Ubuntu" means "I am because you are", "Linux" is an open source operating system and a "forum" is a place where people get together. In other words, this is all about sharing. In this case they shared passwords, even without trying to. Your point is ...?

Re:I'm going to sue ...

[110010001000]

Linux is a kernel. There are no people on a forum, just HTML.

Re: I'm going to sue ...

HTML is people too. #codelivesmatter

Re:I'm going to sue ...

[dgatwood]

So I am a kernel because you are HTML?

Re:I'm going to sue ...

Yeah, you should sue the entire internet. Good luck with that.

Re:I'm going to sue ...

[dcollins117]

Ubuntu is an ancient african word meaning "I couldn't figure out how install Debian."

I know it's old, but that's one of my favorite jokes.

Re:I'm going to sue ...

On my new laptop, that was literally true. Only connection fast enough to download packages was through wifi, and wifi driver was not a standard Debian package, making life miserable for the better part of a week while I tried to figure it out. Multiple attempts through USB key failed; no CD drive. Eventually gave up and put Ubuntu on. Not really a fan, just happens to work.

Re:I'm going to sue ...

I have been using Ubuntu for a while, due to wanting to just have something that works and supports some of the stuff I wanted to do without a lot of hassle. About a year ago, mostly because I hate Unity, I moved to Mate which is an Ubuntu distro that supports the forked Gnome 2. Many, many problems went away and I was back in an environment I could stand, again without a lot of hassle.

Re:I'm going to sue ...

Mate is not an Ubuntu distro.

Re:I'm going to sue ...

Mate is an Ubuntu distro.

FTFY.

https://ubuntu-mate.org/

I am pretty happy with this

[HBI]

I read TFA and it seems like they had some good practices in place. True, there was some contiguous PII released that could be used, along with other data, to identify someone. That said, they didn't lose any passwords.

Good on them. Sure, getting hit sucks, but this could have been a lot worse.

Re:I am pretty happy with this

Good on them. Sure, getting hit sucks, but this could have been a lot worse.

They got hit with a SQL injection.

Everyone of them needs to line up in their tidy whiteys and run a gauntlet where they are beaned with Windows and AOL disks until they bleed; while being laughed at. If any are on Slashdot, they should be marked with a dunce cap by their UID.

And we should start a meme - hacked by script kiddies should be known as being "Canonical'd".

Re: I am pretty happy with this

Heh, yeah, like the semi-recent Mint issue where bad OS isos got distributed from the repo with backdoors?

Re: I am pretty happy with this

These are our guys, though, AC! It's ok when we make mistakes. Just ask the parent!

Now, if this was Micro$haft, your comments would be fine.

Again?

23/07/2013

Hello,

You are receiving this message because you have an account registered with this address on ubuntuforums.org.

The Ubuntu forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted copy of your password from the forum database.

If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

The ubuntuforums.org website is currently offline and we are working to restore this service. Please take the time to change your ubuntuforums.org account password when service is restored.

We apologize for any inconvenience to the Ubuntu community, thank you for your understanding.

The Canonical Sysadmins.

Re:Again?

[NotInHere]

But this time, the attackers haven't got any passwords. From the announcement:

No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins.

Yeah right

Like there really 2 million people that would stoop low enough to use linsux, let alone a specific version. Talk about padding your account registrations!

This 'leak' was probably an internal job to show off these inflated numbers!

Re:Yeah right

[sgage]

Paul Thurrott, is that you?

Re:Yeah right

Well probably 1.9 million of those were spam accounts. Ever ran a forum?

hackme.houghi.org

[houghi]

I hope they were not able to link my domain http://hackme.houghi.org/ to my IP address, because that would mean I am extremely hackable.

Re:hackme.houghi.org

[KiloByte]

Leaked IP address, username and email address. Hmm... Let's take a look at any Debian bug report submitted using reportbug:

From kilobyte@angband.pl Wed Jul 13 16:11:52 2016
Received: (at submit) by bugs.debian.org; 13 Jul 2016 16:11:52 +0000
[...]
Received: from tartarus.angband.pl ([2a03:9300:10::8])
        by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.84_2)
        (envelope-from <kilobyte@angband.pl>)
        id 1bNMlM-0000VI-F4
        for submit@bugs.debian.org; Wed, 13 Jul 2016 16:11:52 +0000
Received: from umbar.angband.pl ([2001:6a0:118::6])
        by tartarus.angband.pl with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <kilobyte@angband.pl>)
        id 1bNMlF-0007IU-CZ; Wed, 13 Jul 2016 18:11:47 +0200
Received: from kilobyte by umbar.angband.pl with local (Exim 4.87)
        (envelope-from <kilobyte@angband.pl>)
        id 1bNMlF-0003mb-0h; Wed, 13 Jul 2016 18:11:45 +0200

And no, censoring Received: headers in mboxes on the web view wouldn't solve problems, as anyone can subscribe to debian-bugs-dist@lists.debian.org and receive all BTS mails as a mailing list.

Then let's take a look at LKML, especially patches submitted via git send-email.

Hmm... perhaps there's nothing that special in this Ubuntu leak?

Should have used open source!

[chuckugly]

They should have hosted this stuff on open source software - it's super secure

Re:Should have used open source!

[LichtSpektren]

They should have hosted this stuff on open source software - it's super secure

This isn't zero-day attack. Whoever was the sysadmin for the Ubuntu forums didn't apply a security patch. The same thing can happen if you don't patch a Microsoft SQL Server.

Re:Should have used open source!

Spin, German Nazi cocksucker, spin that shit!

WRONG, LUDDITE!

They should have used Appdows 10, because only apps can app apps! LUDDITE software like LUDDITE BSD and LUDDITE Linux is what allowed LUDDITE hackers to hack their LUDDITE forums!

Apps!

Maybe they were fully updated?

Maybe they were fully updated...but since they are running Ubuntu, that means that they are still stuck with 2 year old packages.

This is what I hate about Debian and derivatives. It takes forever for them to adopt upstream changes because of their boneheaded definition of stability.

Their packages are stable only in the sense that packages don't get updated, not because they are functional and well behaved. There are plenty of applications that, right now, are broken, while a fix is available from upstream.

Oh sure, they apply "security fixes" from upstream once in a while. But that means that now not only are you running an old version of software, now you also have some untested patches put together by some guy that potentially has no clue what is going on. This usually ends up in tears (remember the Debian openssl fiasco?).

But even when maintainers are paying attention, they still manage to fuck up. They missed (or rather, ignored) the xscreensaver "time bomb" until it became a huge issue, despite the fact that it would jump out at you in a diff (it was a gigantic block of code after all) and the fact that Slackware and Gentoo noticed it about a year before.

So, no more Debian for me. You keep your terrible distro.

Linux!

So cool a security I thought you would enjoy it!

Fitting

That's what happens when you use a Linux distribution that aspires to become Windows.

SSO affected too?

[t4eXanadu]

I log in using SSO. Has my account info been hacked too? If so, that's my main Google account :-(. Time to change some passwords, methinks.

Re:SSO affected too?

Why would you ever use SSO for something on the Internet?!?

Re:SSO affected too?

I log in using SSO. Has my account info been hacked too? If so, that's my main Google account :-(. Time to change some passwords, methinks.

The SSO in use is based on OpenID and stored elsewhere. Your password should be fine, but if you are using the same passwords for more than one site, you should change them regardless.

m,od d0wn

Platform fotr the was at the same

it wuz haxx0rz!

Because informing people of what really happened would be just too burdensome.

Blame Internet Brands

[Lirodon]

Both the recent VerticalScope hack and this have one thing in common: vBulletin. It is a pile of junk, and especially since it was acquired by a firm known as Internet Brands. It is awful software, and a forum about an open source product which uses proprietary components is ethically unsound.

Today's security is tomorrow's breach headline:

16-7: Ubuntu Single Sign On Servers Hacked.

OpenID...

[ADRA]

If only we had common uses of OpenID, compromising services would have essentially zero material benefit for the perpetrators...

SOMEBODY ON THE INSIDE.

Microsoft and CIA (FBI/NSA) have to-and-fro deal.

Quick, make Linux look hackable too, our investors are pissed. Ok!

(Debian has FBI working on some of their teams too, expect same later there)

Open Source

But, but teh Open Source and the "many eyes".

Four million eyeballs to verify software with

They should have hosted this stuff on open source software - it's super secure

Yes, those two million users have four million eyeballs to verify the software with.

They should have used RUST

If they'd RUSTed the forum in RUST the hackers wouldn't have had any chance to RUST through the impenetrable security RUST offers. RUST!!

Why can't these jerks do someting useful?

I guess you need these twits to expose the sloppy practices out there but it would be truly impressive if they could go after AT&T and others for using some of the *sshole collection agencies that spam our cell phone accounts with BS collection calls that don't relate to us. In other words, there are a lot of targets for a public service type of hacking out there. It must be more fun for them to be jerk off twits than to go after public nuisance targets.

Ubuntu is one of the systemds right?

Ubuntu is a systemd right? Like there's Windows, Mac, and Systemd computers? Can it also run Linux, maybe in some kind of VM?

Sigh

[nnull]

Years later, we still deal with SQL injections when it was supposed to be "resolved" by now.

Re:Sigh

Years later, we still deal with SQL injections when it was supposed to be "resolved" by now.

Can't fix stupid.

Why dont they use a mail list?

Stop being weirdos. Nobody wants to create yet another account.

Is it the same as askubuntu.com?

[meadow]

This is not the same forum as askubuntu.com?