Ubuntu Linux Forums Hacked -- IP Address, Username, Email of 2M Accounts Compromised

Canonical announced on Friday that Ubuntu forums have been hacked. The company adds that data such as IP address, username, and email address of over two million users have been compromised. BetaNews reports: Keep in mind, this does not mean that the operating system has experienced a vulnerability or weakness. The only thing affected are the online forums that people use to discuss the OS. Still, such a hack is embarrassing as it happened due to Canonical's failure to install a patch.In a blog post, Jane Silber, Chief Executive Officer, Canonical said, "after some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched."

Re:Too Bad They Used Linux

[LichtSpektren]

The vulnerability was an SQL injection. The operating system had nothing to do with it.

Re:

[Anonymous Coward]

They should have used SQL Server instead of MySQL.

Re:

[Adam C]

It has nothing to do with that either.

It's to do with inputs not being sanitized AGAIN at a guess. wouldn't matter which SQL it was if the code was written by a crack addicted monkey with no concept of security (which apparently it was)

Re:Too Bad They Used Linux

[AlphaBro]

The right sentiment, but not entirely true, actually. Some SQL injection bugs are only exploitable when a specific dialect of SQL is used under the hood. Some support query stacking (MSSQL), while others don't by default. Some allow for easy creation of files on the server's filesystem (MySQL), some don't. It's not exactly the norm, but also not uncommon for the behavior of a SQL dialect to mitigate a vulnerability. Not that one should rely on such behaviors for security, but it can assist. That's not to say this is a case where a different version of SQL would have helped, of course. I haven't looked at the details.

Re:

[Bengie]

If you think sanitizing inputs protects against SQL injection, I have a bridge to sell you. You need to parameterize/prepare your inputs, which separates your commands from your data. If your inputs cannot change your commands, then all it well.

Is it the same as askubuntu.com?

[meadow]

This is not the same forum as askubuntu.com?

Re:

[LichtSpektren]

Ah yes, here comes the Linux apologists trying to deflect any blame from Teh Liuxxxx!!!!!!

That's a fair point, since Microsoft's products are totally immune to SQL injection -- oh wait, no they're not, you knob. [microsoft.com]

Re:

[Bengie]

Nice link of how not to use MS SQL correctly. General rule of thumb, you can't fix stupid. They will always find a away to use tool incorrectly.

Re:

[CajunArson]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

Re:

[perpenso]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

Don't be obtuse. "Linux" is most commonly used to refer to the complete server or desktop environment. When Linux fans are championing and encouraging people to switch their server or desktop to Linux they are referring to the entire environment not merely the kernel. Just as when Windows gets hacked and its something in the "software stack" and not the kernel itself, often something from a 3rd party not Microsoft. Matter of fact when the only "Linux" thing in an environment is the Linux kernel we tend not

Re:

[LichtSpektren]

Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.

Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.

SQL injections have nothing to do with the platform you're running them on. It's a result of sloppy programming. The same thing can happen on just about every OS and every SQL daemon.

You might have a point about Windows being unfairly maligned if it weren't for e.g. Internet Explorer being so thoroughly integrated into the OS that its vulnerabilities in the browser can be exploited even if the user doesn't use it.

online forums software can be hard to update

[Joe_Dragon]

online forums software can be hard to update if any mods / plug in's are in use.

Re:

[dgatwood]

online forums software can be hard to update if any mods / plug in's are in use.

The thing is, you shouldn't need to update them. The biggest problem on the Internet today, IMO, is that so much of our user-facing infrastructure software was written before modern database access techniques, such as the use of parameterized queries.

In my personal life, the very first thing I do before I install any piece of client-facing software is audit the thing top to bottom, making sure every single SQL query uses parame

Re:

[Qzukk]

The real problem is that if you google for a tutorial, half the tutorials out there were written before modern database access techniques and nobody ever takes them down, so new programmers become "educated stupid" (to borrow from the timecube guy).

Re:

[The-Ixian]

I had to search the Internet to know what a parameterized query is.

I am not a programmer but I have written some web applications in Perl.

Turns out, I have been using parameterized queries all along for my inserts and updates.

So, there you go, Internet documentation, at least for Perl's DBI appears to "educate smart"

Re:

[dgatwood]

Certainly, but when those bugs are discovered, they typically get patched automatically as part of your normal OS update schedule, not as a specific patch to the web frontend (which often gets heavily customized for a particular site, and thus are messier to upgrade). And those bugs are hopefully rare.

As for Drupal, that's actually just another example of the problem I'm describing. A high-level CMS should not provide its own database drivers that construct SQL queries themselves. From a security perspe

Fantastic

[subk]

Love the metadata on the image they used in TFA.. "Hacker desk laptop hoodie hacking hooded". I guess a white dude with facial hair and a hoodie is automatically "hacking" if he has a laptop out.

Re:

[KiloByte]

Crap, a hoodie! I knew I've forgotten something in order to be a real hacker!

Re:

[antdude]

They should had used Mr. Robot's Elliot Alderson then. :P

I'm going to sue ...

[CaptainDork]

... those bastards.

On a related note, my lawyer wants to know what the terms, "ubuntu," and "linux," and "forum," mean.

Help here, please?

Re:

[Errol backfiring]

"Ubuntu" means "I am because you are", "Linux" is an open source operating system and a "forum" is a place where people get together. In other words, this is all about sharing. In this case they shared passwords, even without trying to. Your point is ...?

Re:

[110010001000]

Linux is a kernel. There are no people on a forum, just HTML.

Re:

[dgatwood]

So I am a kernel because you are HTML?

Re:I'm going to sue ...

[dcollins117]

Ubuntu is an ancient african word meaning "I couldn't figure out how install Debian."

I know it's old, but that's one of my favorite jokes.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[NotInHere]

But this time, the attackers haven't got any passwords. From the announcement:

No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins.

Re:

[sgage]

Paul Thurrott, is that you?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[KiloByte]

Leaked IP address, username and email address. Hmm... Let's take a look at any Debian bug report submitted using reportbug [debian.org]:

From kilobyte@angband.pl Wed Jul 13 16:11:52 2016
Received: (at submit) by bugs.debian.org; 13 Jul 2016 16:11:52 +0000
[...]
Received: from tartarus.angband.pl ([2a03:9300:10::8])
by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.84_2)
(envelope-from <kilobyte@angband

Should have used open source!

[chuckugly]

They should have hosted this stuff on open source software - it's super secure

Re:

[LichtSpektren]

They should have hosted this stuff on open source software - it's super secure

This isn't zero-day attack. Whoever was the sysadmin for the Ubuntu forums didn't apply a security patch. The same thing can happen if you don't patch a Microsoft SQL Server.

SSO affected too?

[t4eXanadu]

I log in using SSO. Has my account info been hacked too? If so, that's my main Google account :-(. Time to change some passwords, methinks.

Blame Internet Brands

[Lirodon]

Both the recent VerticalScope hack and this have one thing in common: vBulletin. It is a pile of junk, and especially since it was acquired by a firm known as Internet Brands. It is awful software, and a forum about an open source product which uses proprietary components is ethically unsound.

OpenID...

[ADRA]

If only we had common uses of OpenID, compromising services would have essentially zero material benefit for the perpetrators...

Sigh

[nnull]

Years later, we still deal with SQL injections when it was supposed to be "resolved" by now.