Ubuntu Forums Hacked! Here Is What Hacker Stole?

The forums of the most popular Linux distributions, Ubuntu, was hacked. The news was reported yesterday by Jane Silber on Ubuntu insights. Although he has confirmed that not any password was hacked in the plain text, rather hashed and salted strings which are of no use for the hacker. But, the hacker successfully downloaded other users’ information.

​Ubuntu Forums Hacked!

The Ubuntu forum was hacked and the hacker downloaded 2 million users’ information from users table. Users passwords are also included in the hacked data but it’s useless for hacker. All passwords are hashed and salted in database so no account login can be processed but I still recommend to change password. Though other stuff like emails, usernames and IPs were hacked. Emails can be used to spam. If you’re Ubuntu forum user then from now on be extra careful when responding to any unknown email.

​Known SQL injection vulnerability caused this hack

As reported by Jane Silber that somebody claimed to have a copy of forum database. After the initial investigation, the team confirmed the breach and shut down the forum. The hack was done by a known SQL vulnerability –

“Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.”

​Here is something more shocking for me!

I was more shocked when I read that the team did not detect any hack until the hacker himself claimed to have a copy of the forum database. They mentioned that as on 14th, July 2016, Canonical’s IS team was notified by a member of the Ubuntu Forum Council that someone was claiming to have a copy of forum database. I don’t know why but personally, I am more curious to know when the hack actually occurred. Well, I appreciate their policy of being transparent that they exposed this hack to us.

​Now things are working properly.

Servers have been backed up and extra security steps have been taken. The vulnerability that caused this hack has also been fixed. All the systems and database passwords have been reset. A web application firewall, ModSecurity is now helping prevent similar attacks.
They’ve also confirmed things that hacker was never able to have access —

  • We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.
  • We know the attacker was NOT able to gain access to valid user passwords.
  • We believe the attacker was NOT able to escalate past remote SQL read access to the Forums database on the Forums database servers.
  • We believe the attacker was NOT able to gain remote SQL write access to the Forums database.
  • We believe the attacker was NOT able to gain shell access on any of the Forums app or database servers.
  • We believe the attacker did NOT gain any access at all to the Forums front end servers.
  • We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.

Mohd Sohail is a web developer and a Linux sysAdmin. He also loves to write how-to articles, applications reviews and loves to use new Linux distributions.

Articles: 860

Leave a Reply

Your email address will not be published. Required fields are marked *