How easy is it ...

  Kate B 22:06 12 Feb 2006

... to hack user accounts on a public forum? I'm a regular on another site that has been plagued by trolls recently. Today it seems as though user accounts have been accessed: private messages have been read and user accounts are being interfered with. Users are being logged out and their password no longer works and they have to request a new one by email.

It runs on an elderly and heavily customised version of vBulletin, though I have no idea about the back end.

Any thoughts? I've asked for my account over there to be suspended as I've been kicked out of my account and had to reset it a couple of times and the troll has intimated that s/he has read my private messages there and I'm not the only one.

  powerless 22:19 12 Feb 2006

Elderly vBulletin hey?

Well if it has not been updated to the most current version then old flaws may still be present and exploited.

Change your email address to a disposable hotmail one, set up a stronger password, delete any profile fields that you don't want anyone to see and delete all PM's.

Pop back in a week.

  Kate B 22:24 12 Feb 2006

What were the old flaws, Powerless? My password was very strong.

  Forum Editor 00:04 13 Feb 2006

if the people who run the board have set passwords on the mod and admin directories using .htaccess

Do you know which version of vbulletin is involved?

  Kate B 00:08 13 Feb 2006

I'll do that Peter - having done some Googling I see there's a MySQL injection that can be used to hack the admin privileges. I don't speak MySQL so it doesn't mean much to me - I'd be grateful if anyone can explain that. Is that what you suspect?

The forum doesn't show which version of vBulletin is but apparently it's an old one - there was some discussion recently about how it was overdue for an upgrade but had been so extensively modded that nobody could face it.

  Forum Editor 00:33 13 Feb 2006

it is what I suspect. Many people running older vbulletin boards have the same problem.

Setting passwords on those two directories is the first step in the journey, but without knowing an awful lot more I can't be helpful. The trouble is that with a heavily modded board the cure can almost be worse than the disease, and it's probably a better idea to take the whole thing offline and start again.

There's a really useful tool that can help with board upgrades by the way. It works by comparing sets of directories and/or files, and highlights the differences. It's invaluable when you're uploading lots of changes, I've used it to compare thousands of files in two different versions of clients' websites when searching for problems; it's a sanity-preserver.

click here if you're interested.

  Kate B 00:37 13 Feb 2006

Thanks, Peter, that's really helpful. Rather pleased that my geeky intuition came up with what might be the right answer *proud beam*. I'll email the admin with that, but he's not known for his interactivity with users.

  Forum Editor 00:42 13 Feb 2006

Unlike some others, eh?

Good luck, and goodnight.

  Kate B 00:44 13 Feb 2006


  anskyber 09:48 13 Feb 2006

Given what you have said can you advise which site or forum we are talking about so it can be avoided.

  Haol 12:49 13 Feb 2006

SQL Injection as stated by SecuriTeam is

"It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else."

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

HTC U12 Plus review: Hands-on

See how VFX studio Rise created 'Jabariland', holograms & digital doubles in Marvel Studios' Black…

Best Android emulators for Mac

Comment importer des contacts d’un iPhone à un autre iPhone ?