In this day and age, hackers have become more sophisticated forcing firms that handle larger amounts of user data (passwords and user names) to use well-fortified walls as a means to guide valuable amounts of data being stored in servers and databases.
Despite huge efforts that include the investment of time and money, Hackers seem to always find loopholes to exploit as was the case with a recent security breach experience by Canonical on its Forum database.
On Friday, 14 July, the Ubuntu Forums database was compromised by a hacker who managed to gain unauthorized access, blazing past the security barriers put in place to deal with situations like this.
Canonical immediately launched an investigation to determined the actual point of the attack and how much user data was compromised. It was confirmed that someone indeed gained access to the Forum’s database through an attack that occurred at 20:33 UTC on July 14, 2016, and the attacker was able to do so by injecting certain formatted SQL to the database servers housing the Ubuntu forums.
“Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched,” said Jane Silber, Canonical CEO. “This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table.”
According to the report posted on insights.ubuntu.com, the attacker’s efforts gave him access to read from any table but further investigations lead the team to believe that they were only able to read from the “user” table.
This access allowed the hackers to download a “portion” of the user table which contained everything from usernames, email addresses as well as IPs belonging to over two million users but Canonical reassured everyone that no active passwords were accessed because the passwords stored in the table were random strings and that the Ubuntu Forums uses what is called “Single Sign On” for user logins.
The attacker did download the respective random strings but fortunately, those strings were salted. To put everyone at ease, Canonical said that the attacker was not able to access the Ubuntu code repository, the update mechanism, any valid user password, or gain remote SQL write access to the database.
Furthermore, the attacker was not able to gain access to any of the following: Ubuntu Forums app, the front-end servers, or any other Ubuntu or Canonical services.
To prevent certain breaches in the future, Canonical installed ModSecurity on the forums, a Web Application Firewall, and improved the monitoring of vBulletin.