Security14.02.2014

BidorBuy forums hit with stealthy hack

Computer security ninja hacker laptop

Users reaching the BidorBuy forums through a search engine would until recently have been redirected to myfilestore.com, where they are bombarded with ads.

Those visiting the forum directly, or from a link on the main BidorBuy site would not have noticed the issue. The exploit also didn’t trigger if your browser already had cookies from the BidorBuy forums stored.

This means that the hack was trying to hide itself from regular visitors to the forum, such as site administrators.

A screencast showing the effect of the hack with an explanation of how to reproduce the problem was uploaded by a security enthusiast in South Africa who goes by “Riccardo S”:

Quick response from BidorBuy

When contacted about the hack, BidorBuy CTO Gerd Naschenweng said that they did not know about the problem until alerted to it by MyBroadband.

Naschenweng said that they immediately responded to the report by removing the vBSEO plugin for its forum software and taking down the forum server and rebuilding it.

“The exploit only affects this plugin and removal of it clears the issue,” Naschenweng said.

“Although we are running the latest patched version of vBulletin we did have a similar issue before where a VBulletin/vBSEO-plugin vulnerability was exploited,” Naschenweng said.

BidorBuy.co.za forum redirected to MyFilestore.com

BidorBuy.co.za forum redirected to MyFilestore.com

He said that the vulnerability in vBSEO allowed a hacker to use an SQL injection to rewrite traffic originating from search engines to show an intermediate advertising landing page, from which the attacker could collect advertising revenue.

“The previous incident happened in June 2013 and we subsequently received a security patch for vBSEO, which was implemented but was obviously not good enough,” Naschenweng said.

Naschenweng said he was able to confirm that only the vBSEO plugin was compromised and that the attacker did not gain any privileged access to their server.

Gerd Naschenweng

Gerd Naschenweng

Naschenweng provided a copy of the decrypted PHP code that was injected in the vBSEO plugin’s rewrite rules, which he uploaded to Pastebin.

“To be honest it is quite frustrating to have paid third-party software having such obvious exploits,” Naschenweng said, adding that it is unfortunate that they didn’t put extra checks in place (such as monitoring the vBSEO plugin) to possibly detect the issue sooner.

“Although an incident like this is worrying, we are not overly concerned about it, as our social platforms are isolated from our transactional systems and no customer data was accessed or compromised,” Naschenweng said.

Naschenweng said that they plan to have the forum restored by close of business today (14 February 2014).

Update: Naschenweng has informed MyBroadband that they have successfully rebuilt their forum server. Their own investigation into the matter also suggests that the vBSEO exploit creeped into the system after they performed an upgrade in the last 7 days.

SA networks mum on NSA spying

Most attacked ports, DDoS details revealed

Beware fake Microsoft support scams in SA

MWEB website security flaw

Subpoenas for ISP info issued in City of Joburg “hacking”: source

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter