Ubuntu Linux Forums Hacked -- IP Address, Username, Email of 2M Accounts Compromised

Canonical announced on Friday that Ubuntu forums have been hacked. The company adds that data such as IP address, username, and email address of over two million users have been compromised. BetaNews reports: Keep in mind, this does not mean that the operating system has experienced a vulnerability or weakness. The only thing affected are the online forums that people use to discuss the OS. Still, such a hack is embarrassing as it happened due to Canonical's failure to install a patch.In a blog post, Jane Silber, Chief Executive Officer, Canonical said, "after some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched."

online forums software can be hard to update

[Joe_Dragon]

online forums software can be hard to update if any mods / plug in's are in use.

Re:online forums software can be hard to update

[dgatwood]

online forums software can be hard to update if any mods / plug in's are in use.

The thing is, you shouldn't need to update them. The biggest problem on the Internet today, IMO, is that so much of our user-facing infrastructure software was written before modern database access techniques, such as the use of parameterized queries.

In my personal life, the very first thing I do before I install any piece of client-facing software is audit the thing top to bottom, making sure every single SQL query uses parameterized queries, and rewriting it when I see them. If the software is too big for this to be practical, it doesn't get installed on my server—a lesson I learned the hard way after a PHPBB instance got vandalized anonymously. As a result, I now use a custom fork of JXBD that replaces every single query with parameterized versions (available on GitHub). It is small enough to be auditable, and as an added bonus, I was able to integrate it more cleanly with my existing login infrastructure.

If everyone would adopt that same level of caution, all this ancient cruft would get cleaned up pretty quickly, and folks wouldn't need to update their bulletin boards every few weeks to fix the latest SQL injection attack, because the BBSs' SQL access code would be secure by design. I would encourage Ubuntu to similarly systematically rework everything they run on their websites and then contribute fixes upstream so that everybody benefits from their effort.

Re:online forums software can be hard to update

[Qzukk]

The real problem is that if you google for a tutorial, half the tutorials out there were written before modern database access techniques and nobody ever takes them down, so new programmers become "educated stupid" (to borrow from the timecube guy).

Re:online forums software can be hard to update

[The-Ixian]

I had to search the Internet to know what a parameterized query is.

I am not a programmer but I have written some web applications in Perl.

Turns out, I have been using parameterized queries all along for my inserts and updates.

So, there you go, Internet documentation, at least for Perl's DBI appears to "educate smart"

Re:online forums software can be hard to update

[dgatwood]

Certainly, but when those bugs are discovered, they typically get patched automatically as part of your normal OS update schedule, not as a specific patch to the web frontend (which often gets heavily customized for a particular site, and thus are messier to upgrade). And those bugs are hopefully rare.

As for Drupal, that's actually just another example of the problem I'm describing. A high-level CMS should not provide its own database drivers that construct SQL queries themselves. From a security perspective, IMO, that's really not significantly different from building SQL queries by string concatenation, except that the Drupal solution is cleaner and more general-purpose. It is still a user-facing web front end that is doing its own SQL construction when it could get that functionality almost for free by using code that the PHP core already provides.

IMO, Drupal should be working with various groups that provide the drivers that are built into PHP already, adding features as needed to support their requirements, with the goal of eventually removing their own drivers entirely. Every time you reinvent the wheel, you significantly increase the risk of adding bugs. More code requires more maintainers, and there are only so many people who care about improving SQL drivers. Thus, the more SQL drivers available for each SQL implementation, the lower quality each one will be. And if every large web service provided its own driver, you'd have hundreds of these things, each with its own bugs.

This really is one of those areas where less is more. I'll give Drupal a partial pass for now, because they were doing this back in a day when parameterized queries probably weren't supported in the PHP core. But in the long run, all that custom driver code needs to die and be replaced with one of the standard drivers. From a security perspective, that's the only approach that really makes sense.

Fantastic

[subk]

Love the metadata on the image they used in TFA.. "Hacker desk laptop hoodie hacking hooded". I guess a white dude with facial hair and a hoodie is automatically "hacking" if he has a laptop out.

Re:Fantastic

[KiloByte]

Crap, a hoodie! I knew I've forgotten something in order to be a real hacker!

Re:Fantastic

[antdude]

They should had used Mr. Robot's Elliot Alderson then. :P

I'm going to sue ...

[CaptainDork]

... those bastards.

On a related note, my lawyer wants to know what the terms, "ubuntu," and "linux," and "forum," mean.

Help here, please?

Re:I'm going to sue ...

[Errol+backfiring]

"Ubuntu" means "I am because you are", "Linux" is an open source operating system and a "forum" is a place where people get together. In other words, this is all about sharing. In this case they shared passwords, even without trying to. Your point is ...?

Re:I'm going to sue ...

[110010001000]

Linux is a kernel. There are no people on a forum, just HTML.

Re:I'm going to sue ...

[dgatwood]

So I am a kernel because you are HTML?

Re:I'm going to sue ...

[dcollins117]

Ubuntu is an ancient african word meaning "I couldn't figure out how install Debian."

I know it's old, but that's one of my favorite jokes.

I am pretty happy with this

[HBI]

I read TFA and it seems like they had some good practices in place. True, there was some contiguous PII released that could be used, along with other data, to identify someone. That said, they didn't lose any passwords.

Good on them. Sure, getting hit sucks, but this could have been a lot worse.

Re:Too Bad They Used Linux

[LichtSpektren]

The vulnerability was an SQL injection. The operating system had nothing to do with it.

Re:Again?

[NotInHere]

But this time, the attackers haven't got any passwords. From the announcement:

No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins.

hackme.houghi.org

[houghi]

I hope they were not able to link my domain http://hackme.houghi.org/ to my IP address, because that would mean I am extremely hackable.

Re:hackme.houghi.org

[KiloByte]

Leaked IP address, username and email address. Hmm... Let's take a look at any Debian bug report submitted using reportbug:

From kilobyte@angband.pl Wed Jul 13 16:11:52 2016
Received: (at submit) by bugs.debian.org; 13 Jul 2016 16:11:52 +0000
[...]
Received: from tartarus.angband.pl ([2a03:9300:10::8])
        by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.84_2)
        (envelope-from <kilobyte@angband.pl>)
        id 1bNMlM-0000VI-F4
        for submit@bugs.debian.org; Wed, 13 Jul 2016 16:11:52 +0000
Received: from umbar.angband.pl ([2001:6a0:118::6])
        by tartarus.angband.pl with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <kilobyte@angband.pl>)
        id 1bNMlF-0007IU-CZ; Wed, 13 Jul 2016 18:11:47 +0200
Received: from kilobyte by umbar.angband.pl with local (Exim 4.87)
        (envelope-from <kilobyte@angband.pl>)
        id 1bNMlF-0003mb-0h; Wed, 13 Jul 2016 18:11:45 +0200

And no, censoring Received: headers in mboxes on the web view wouldn't solve problems, as anyone can subscribe to debian-bugs-dist@lists.debian.org and receive all BTS mails as a mailing list.

Then let's take a look at LKML, especially patches submitted via git send-email.

Hmm... perhaps there's nothing that special in this Ubuntu leak?

Re:Yeah right

[sgage]

Paul Thurrott, is that you?

Should have used open source!

[chuckugly]

They should have hosted this stuff on open source software - it's super secure

Re:Should have used open source!

[LichtSpektren]

They should have hosted this stuff on open source software - it's super secure

This isn't zero-day attack. Whoever was the sysadmin for the Ubuntu forums didn't apply a security patch. The same thing can happen if you don't patch a Microsoft SQL Server.

Re:Too Bad They Used Linux

They should have used SQL Server instead of MySQL.

Re:Too Bad They Used Linux

[hideki.adam]

It has nothing to do with that either.

It's to do with inputs not being sanitized AGAIN at a guess. wouldn't matter which SQL it was if the code was written by a crack addicted monkey with no concept of security (which apparently it was)

SSO affected too?

[t4eXanadu]

I log in using SSO. Has my account info been hacked too? If so, that's my main Google account :-(. Time to change some passwords, methinks.

Blame Internet Brands

[Lirodon]

Both the recent VerticalScope hack and this have one thing in common: vBulletin. It is a pile of junk, and especially since it was acquired by a firm known as Internet Brands. It is awful software, and a forum about an open source product which uses proprietary components is ethically unsound.

Re:Too Bad They Used Linux

[CajunArson]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

OpenID...

[ADRA]

If only we had common uses of OpenID, compromising services would have essentially zero material benefit for the perpetrators...

Re:Too Bad They Used Linux

[perpenso]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

Don't be obtuse. "Linux" is most commonly used to refer to the complete server or desktop environment. When Linux fans are championing and encouraging people to switch their server or desktop to Linux they are referring to the entire environment not merely the kernel. Just as when Windows gets hacked and its something in the "software stack" and not the kernel itself, often something from a 3rd party not Microsoft. Matter of fact when the only "Linux" thing in an environment is the Linux kernel we tend not to call it "Linux" at all, for example Android. So don't start with this "Linux" only refers to the kernel nonsense, that is not how the word is used, and that includes within the Linux community.

Re:Too Bad They Used Linux

[AlphaBro]

The right sentiment, but not entirely true, actually. Some SQL injection bugs are only exploitable when a specific dialect of SQL is used under the hood. Some support query stacking (MSSQL), while others don't by default. Some allow for easy creation of files on the server's filesystem (MySQL), some don't. It's not exactly the norm, but also not uncommon for the behavior of a SQL dialect to mitigate a vulnerability. Not that one should rely on such behaviors for security, but it can assist. That's not to say this is a case where a different version of SQL would have helped, of course. I haven't looked at the details.

Re:Too Bad They Used Linux

[LichtSpektren]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

SQL injections have nothing to do with the platform you're running them on. It's a result of sloppy programming. The same thing can happen on just about every OS and every SQL daemon.

You might have a point about Windows being unfairly maligned if it weren't for e.g. Internet Explorer being so thoroughly integrated into the OS that its vulnerabilities in the browser can be exploited even if the user doesn't use it.

Re:Too Bad They Used Linux

[LichtSpektren]

Ah yes, here comes the Linux apologists trying to deflect any blame from Teh Liuxxxx!!!!!!

That's a fair point, since Microsoft's products are totally immune to SQL injection -- oh wait, no they're not, you knob.

Sigh

[nnull]

Years later, we still deal with SQL injections when it was supposed to be "resolved" by now.

Is it the same as askubuntu.com?

[meadow]

This is not the same forum as askubuntu.com?

Re:Too Bad They Used Linux

[Bengie]

If you think sanitizing inputs protects against SQL injection, I have a bridge to sell you. You need to parameterize/prepare your inputs, which separates your commands from your data. If your inputs cannot change your commands, then all it well.

Re:Too Bad They Used Linux

[Bengie]

Nice link of how not to use MS SQL correctly. General rule of thumb, you can't fix stupid. They will always find a away to use tool incorrectly.