The Hacking of Ubuntu Linux Forums: Lessons Learned
News Analysis: Two million usernames and emails were exposed after the breach of unpatched forum software. Here's what happened and what we should learn from it.Ubuntu Linux is one of the most popular Linux distributions in use today, making its users an attractive target for hackers. In an attack that was officially confirmed on July 15, Canonical, the lead commercial vendor behind Ubuntu Linux, revealed that its Ubuntu Forums user community was hacked, and the attacker gained unauthorized access to a database of 2 million users. Although an attacker was able to gain access to the user database, the access was somewhat limited and didn't directly expose any valid user passwords, according to Canonical CEO Jane Silber. "We know the attacker was not able to gain access to any Ubuntu code repository or update mechanism," Silber wrote in a blog post. "We know the attacker was not able to gain access to valid user passwords." What the attacker was able to access was the ability to read any information in the user forums database tables. However, Canonical's analysis is that the attacker only accessed the user table in the database, Silber said. With the database access, the attacker was able to download usernames, email addresses and IP addresses for 2 million users. The Ubuntu user forums make use of the Ubuntu single sign-on approach, which did not store user passwords in the forums database. Rather, the password credentials for users were present in the user database as random strings of data.
Canonical determined the root cause of the Ubuntu forums breach to be a known SQL injection vulnerability in the Forumrunner add-on for the vBulletin forum software. Though Canonical is constantly updating its Ubuntu software, apparently the organization had neglected to update Forumrunner and vBulletin to be up-to-date with the latest patches.