Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu Linux Forums Hacked -- IP Address, Username, Email of 2M Accounts Compromised (betanews.com)

Posted by msmash on from the security-woes dept.

Canonical announced on Friday that Ubuntu forums have been hacked. The company adds that data such as IP address, username, and email address of over two million users have been compromised. BetaNews reports: Keep in mind, this does not mean that the operating system has experienced a vulnerability or weakness. The only thing affected are the online forums that people use to discuss the OS. Still, such a hack is embarrassing as it happened due to Canonical's failure to install a patch.In a blog post, Jane Silber, Chief Executive Officer, Canonical said, "after some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched."

8 of 85 comments (clear)

  1. Fantastic by subk · · Score: 2

    Love the metadata on the image they used in TFA.. "Hacker desk laptop hoodie hacking hooded". I guess a white dude with facial hair and a hoodie is automatically "hacking" if he has a laptop out.

    --
    Now, if you'll excuse me, I have backups to corrupt.
  2. I'm going to sue ... by CaptainDork · · Score: 2

    ... those bastards.

    On a related note, my lawyer wants to know what the terms, "ubuntu," and "linux," and "forum," mean.

    Help here, please?

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:I'm going to sue ... by dcollins117 · · Score: 4, Informative

      Ubuntu is an ancient african word meaning "I couldn't figure out how install Debian."

      I know it's old, but that's one of my favorite jokes.

  3. Re:Too Bad They Used Linux by LichtSpektren · · Score: 5, Informative

    The vulnerability was an SQL injection. The operating system had nothing to do with it.

  4. Re:online forums software can be hard to update by dgatwood · · Score: 2

    online forums software can be hard to update if any mods / plug in's are in use.

    The thing is, you shouldn't need to update them. The biggest problem on the Internet today, IMO, is that so much of our user-facing infrastructure software was written before modern database access techniques, such as the use of parameterized queries.

    In my personal life, the very first thing I do before I install any piece of client-facing software is audit the thing top to bottom, making sure every single SQL query uses parameterized queries, and rewriting it when I see them. If the software is too big for this to be practical, it doesn't get installed on my server—a lesson I learned the hard way after a PHPBB instance got vandalized anonymously. As a result, I now use a custom fork of JXBD that replaces every single query with parameterized versions (available on GitHub). It is small enough to be auditable, and as an added bonus, I was able to integrate it more cleanly with my existing login infrastructure.

    If everyone would adopt that same level of caution, all this ancient cruft would get cleaned up pretty quickly, and folks wouldn't need to update their bulletin boards every few weeks to fix the latest SQL injection attack, because the BBSs' SQL access code would be secure by design. I would encourage Ubuntu to similarly systematically rework everything they run on their websites and then contribute fixes upstream so that everybody benefits from their effort.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Re:Too Bad They Used Linux by perpenso · · Score: 2, Informative

    Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

    Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

    Don't be obtuse. "Linux" is most commonly used to refer to the complete server or desktop environment. When Linux fans are championing and encouraging people to switch their server or desktop to Linux they are referring to the entire environment not merely the kernel. Just as when Windows gets hacked and its something in the "software stack" and not the kernel itself, often something from a 3rd party not Microsoft. Matter of fact when the only "Linux" thing in an environment is the Linux kernel we tend not to call it "Linux" at all, for example Android. So don't start with this "Linux" only refers to the kernel nonsense, that is not how the word is used, and that includes within the Linux community.

  6. Re:Too Bad They Used Linux by AlphaBro · · Score: 3, Insightful

    The right sentiment, but not entirely true, actually. Some SQL injection bugs are only exploitable when a specific dialect of SQL is used under the hood. Some support query stacking (MSSQL), while others don't by default. Some allow for easy creation of files on the server's filesystem (MySQL), some don't. It's not exactly the norm, but also not uncommon for the behavior of a SQL dialect to mitigate a vulnerability. Not that one should rely on such behaviors for security, but it can assist. That's not to say this is a case where a different version of SQL would have helped, of course. I haven't looked at the details.

  7. Re:Too Bad They Used Linux by Bengie · · Score: 2

    If you think sanitizing inputs protects against SQL injection, I have a bridge to sell you. You need to parameterize/prepare your inputs, which separates your commands from your data. If your inputs cannot change your commands, then all it well.