Social Engineered, a forum that bills itself as dedicated to the “Art of Human Hacking,” may have been given a dose of its own medicine: in mid-June, its user data was leaked and dumped on a rival forum.
On Thursday, the founder of Social Engineered, who goes by the username Snow101, confirmed the breach, blaming a MyBB vulnerability:
Mybb had a vulnerability yet again and the site got breached along other websites using Mybb. We moved over to xenforo i suggest changing your passwords immideately [sic].
MyBB is open-source, free software used to create and run online forums.
Snow101 said that Social Engineered has now moved over to the XenForo platform to try to avoid a repeat of the data breach. The forum owner is also looking for contributions: Snow101 asked members to voluntarily chip in to help in the shift from a free, open-source project to a commercial forum.
According to Bleeping Computer, whoever’s behind the leak posted that they had “uploaded the full database and root directory of this website.”
MyBB’s MyBad month
MyBB has had a shaky month. It was one of the many CMSs (content management systems) that researchers recently found weren’t storing passwords securely. They found that MyBB, along with a dozen others, was using the now obsolete MD5 hashing function.
Weak password hashing couldn’t have caused the breach at Social Engineered, but it might make the consequences of the breach much worse as hackers make light work of cracking the site’s exposed password database.
However, a bug that could lead to a catastrophic site breach was discovered earlier this month. MyBB released updates that fixed vulnerabilities in version 1.8.20 and older that could have allowed a remote attacker to get complete control over a site and, potentially, the server.
RIPS Technology researchers had discovered two security vulnerabilities in the code – a stored XSS vulnerability caused by a parsing error in posts and private messages and an authenticated Remote Code Execution (RCE) vulnerability that can be exploited by administrators of a forum. Chain them together, and taking over a user account is a snap, they said:
An attacker merely needs a user account on a target forum to send an admin a private message containing malicious JavaScript code, which exploits the RCE vulnerability. This leads to a full remote take over of a target board by an attacker, as soon as as an administrator who is at the same time authenticated in the backend context opens the malicious PM. No further user interaction is required.
A lot of worried hackers
According to a post on Have I Been Pwned, the breach happened on 13 June 2019. The data, lifted from 89,392 compromised accounts covering a total of 55,121 users, included usernames, private messages, IP addresses and passwords, which were stored as salted MD5 hashes.
Poetic justice?
If all an attacker had to do was to get an account on the forum and to then send a malicious link in an email to an admin, who then – delicious irony alert – opens it and triggers a takeover, does that mean that Social Engineered got socially engineered by an attacker using the RIPS Technologies’ chain of flaws?
We can’t say for sure what happened, unless the social engineers engineer their mouths open and spill the beans.