{"id":96793,"date":"2014-02-14T13:48:39","date_gmt":"2014-02-14T11:48:39","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=96793"},"modified":"2014-02-14T14:17:15","modified_gmt":"2014-02-14T12:17:15","slug":"bidorbuy-forums-hit-with-stealth-hack","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/96793-bidorbuy-forums-hit-with-stealth-hack.html","title":{"rendered":"BidorBuy forums hit with stealthy hack"},"content":{"rendered":"<p>Users reaching the BidorBuy <a href=\"http:\/\/forum.bidorbuy.co.za\" target=\"_blank\">forums<\/a> through a search engine would until recently have been redirected to myfilestore.com, where they are bombarded with ads.<\/p>\n<p>Those visiting the forum directly, or from a link on the main <a title=\"BidorBuy\" href=\"http:\/\/mybroadband.co.za\/vb\/showthread.php\/359610-Bidorbuy\">BidorBuy<\/a> site would not have noticed the issue. The exploit also didn\u2019t trigger if your browser already had cookies from the BidorBuy forums stored.<\/p>\n<p>This means that the hack was trying to hide itself from regular visitors to the forum, such as site administrators.<\/p>\n<p>A screencast showing the effect of the hack with an explanation of how to reproduce the problem was uploaded by a security enthusiast in South Africa who goes by \u201cRiccardo S\u201d:<\/p>\n<p><iframe loading=\"lazy\" src=\"\/\/www.youtube.com\/embed\/uGPo0Ur6YXg\" height=\"450\" width=\"600\" allowfullscreen=\"\" frameborder=\"0\"><\/iframe><\/p>\n<h3 class=\"my-4\">Quick response from BidorBuy<\/h3>\n<p>When contacted about the hack, BidorBuy CTO <a title=\"Gerd Naschenweng\" href=\"http:\/\/mybroadband.co.za\/vb\/showthread.php\/554485-Gerd-Naschenweng\">Gerd Naschenweng<\/a> said that they did not know about the problem until alerted to it by MyBroadband.<\/p>\n<p>Naschenweng said that they immediately responded to the report by removing the vBSEO plugin for its forum software and taking down the forum server and rebuilding it.<\/p>\n<p>\u201cThe exploit only affects this plugin and removal of it clears the issue,\u201d Naschenweng said.<\/p>\n<p>\u201cAlthough we are running the latest patched version of vBulletin we did have a similar issue before where a VBulletin\/vBSEO-plugin vulnerability was exploited,\u201d Naschenweng said.<\/p>\n<div id=\"attachment_96795\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/02\/BidorBuy.co_.za-forum-redirected-to-MyFilestore.com_.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-96795\" class=\" wp-image-96795 \" alt=\"BidorBuy.co.za forum redirected to MyFilestore.com\" src=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/02\/BidorBuy.co_.za-forum-redirected-to-MyFilestore.com_.jpg\" width=\"600\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/02\/BidorBuy.co_.za-forum-redirected-to-MyFilestore.com_.jpg 772w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/02\/BidorBuy.co_.za-forum-redirected-to-MyFilestore.com_-537x400.jpg 537w\" sizes=\"(max-width: 772px) 100vw, 772px\" \/><\/a><p id=\"caption-attachment-96795\" class=\"wp-caption-text\">BidorBuy.co.za forum redirected to MyFilestore.com<\/p><\/div>\n<p>He said that the vulnerability in vBSEO allowed a hacker to use an SQL injection to rewrite traffic originating from search engines to show an intermediate advertising landing page, from which the attacker could collect advertising revenue.<\/p>\n<p>\u201cThe previous incident happened in June 2013 and we subsequently received a security patch for vBSEO, which was implemented but was obviously not good enough,\u201d Naschenweng said.<\/p>\n<p>Naschenweng said he was able to confirm that only the vBSEO plugin was compromised and that the attacker did not gain any privileged access to their server.<\/p>\n<div id=\"attachment_84959\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2013\/08\/Gerd-Naschenweng.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-84959\" class=\"size-full wp-image-84959\" alt=\"Gerd Naschenweng\" src=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2013\/08\/Gerd-Naschenweng.png\" width=\"600\" height=\"400\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2013\/08\/Gerd-Naschenweng.png 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2013\/08\/Gerd-Naschenweng-250x166.png 250w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><p id=\"caption-attachment-84959\" class=\"wp-caption-text\">Gerd Naschenweng<\/p><\/div>\n<p>Naschenweng provided a copy of the decrypted PHP code that was injected in the vBSEO plugin\u2019s rewrite rules, which he <a href=\"http:\/\/pastebin.com\/4U7ZvK7x\" target=\"_blank\">uploaded to Pastebin<\/a>.<\/p>\n<p>\u201cTo be honest it is quite frustrating to have paid third-party software having such obvious exploits,\u201d Naschenweng said, adding that it is unfortunate that they didn\u2019t put extra checks in place (such as monitoring the vBSEO plugin) to possibly detect the issue sooner.<\/p>\n<p>\u201cAlthough an incident like this is worrying, we are not overly concerned about it, as our social platforms are isolated from our transactional systems and no customer data was accessed or compromised,\u201d Naschenweng said.<\/p>\n<p>Naschenweng said that they plan to have the forum restored by close of business today (14 February 2014).<\/p>\n<p><strong>Update:<\/strong> Naschenweng has informed MyBroadband that they have successfully rebuilt their forum server. Their own investigation into the matter also suggests that the vBSEO exploit\u00a0creeped into the system after they performed an upgrade in the last 7 days.<\/p>\n<h3 id=\"related\">More SA information security articles<\/h3>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/96427-sa-networks-mum-on-nsa-spying.html\"><strong>SA networks mum on NSA spying<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/95768-most-attacked-ports-ddos-details-revealed.html\"><strong>Most attacked ports, DDoS details revealed<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/96287-beware-fake-microsoft-support-scams-in-sa.html\"><strong>Beware fake Microsoft support scams in SA<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/96127-mweb-website-security-flaw.html\"><strong>MWEB website security flaw<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/95925-subpoenas-for-isp-info-issued-in-city-of-joburg-hacking-source.html\"><strong>Subpoenas for ISP info issued in City of Joburg \u201chacking\u201d: source<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A vulnerability in a third-party plugin has been exploited on the BidorBuy forums to collect advertising revenue for a hacker<\/p>\n","protected":false},"author":15,"featured_media":75809,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[3636,35],"class_list":["post-96793","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-bidorbuy","tag-headline"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/96793"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=96793"}],"version-history":[{"count":3,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/96793\/revisions"}],"predecessor-version":[{"id":96803,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/96793\/revisions\/96803"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/75809"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=96793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=96793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=96793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}