vBulletin zero-day KOs Comodo user forums – that's 245,000 accounts at risk of compromise
We told you! We told you to patch! Did you listen?
Security plaftorm vendor Comodo has 'fessed up to a digital break-in affecting 245,000 users – after it ignored line one in the first chapter of the "How to do Basic Security" book about timely patching of software.
Despite the whole world (yup, us too) shouting about the latest zero-day bug in vBulletin forum software, Comodo – whose website currently boasts "Breach Proof Your Business with Our Zero Trust Platform" – failed to update its customer forums.
Consequently, the company was forced to take them offline while red-faced admins installed the latest version, protecting against the zero-day detailed at the link above.
Including the routine boilerplate about security being "our highest priority", a Comodo statement published on its newly restored forums admitted:
Very recently a new vulnerability in the vBulletin software, which is one of the most popular server applications for website comments including the Comodo Forums, was made public. Over the weekend at 4:57 am ET on Sunday September 29, 2019, we became aware that this security flaw in the vBulletin software had become exploited resulting in a potential data breach on the Comodo Forums.
The date on the first link in this article is 24 September, meaning Comodo had five whole days' notice to patch the forum.
Comodo confirmed that its forums, just like every other vBulletin install out there, "contain information such as username, name, e-mail address, last IP used to access the forums and if used, potentially some social media usernames in very limited situations". Comodo added that "all user passwords in the database were stored encrypted."
Those forums currently have around 245,000 registered users by the firm's own admission.
vBulletin's default password protection method uses bcrypt, as a Comodo forum post (ho ho, very funny) explains. This looks like an upgrade from the scheme they were using back in 2016, which Troy Hunt of Have I Been Pwned fame had a bit of fun cracking with a desktop PC running an elderly Radeon graphics card.
The Reg has asked Comodo if it wants to comment on why, in this instance at least, it isn't leading by example. ®