Comodo's Forum Gets Hacked After the Company Fails to Apply a Security Patch on Time
We often get to say on these pages how important software updates are, not just because of the new features and performance improvements, but also because of the security patches. On Monday, Comodo, which, ironically, is a security company, gave us a story that illustrates what could happen when the said patches are delayed by no more than four days. Before we get to the bottom of the problem, however, we should mention that the incident isn't really that horrific.
Not the biggest breach in the world
Comodo published a short security notice saying that on September 29, unknown hackers gained access to a database that contained the information of its forum users. A total of 245 thousand records were potentially accessed, with each containing a name, an email address, the user's most recent IP address, and an "encrypted" password.
In light of other recent security incidents, some might be tempted to classify this particular breach as insignificant. Indeed, the amount of data that was put at risk is not that huge, and although the notice is a bit sparse on details, there are few reasons to believe that any particularly sensitive information has been exposed.
That being said, the actual mechanism of the break-in is a cause for concern, because it shows that a recognizable name in the cybersecurity industry has failed to set up an update policy that can keep it (and its users) safe.
A patched vBulletin vulnerability was at the bottom of the data breach
On September 23, an anonymous security researcher publicly disclosed a previously unknown security vulnerability in the fifth version of vBulletin, a popular internet forum software written in PHP. Tracked as CVE-2019-16759, the flaw is rather scary for a few very good reasons.
First, although it was labeled "a zero-day vulnerability", some people knew about it long before it was made public. As The Register reported at the time, experts were saying that exploits had been on the underground market for years. In other words, cybercriminals have relatively easy access to the code that can compromise thousands of vBulletin forums.
In addition to this, the attack isn't particularly hard to pull off. Exploiting the hole involves a few lines of Python code put in an HTTP POST request. Those lines are now publicly available.
Last but by no means least, the fact that CVE-2019-16759 is a remote code execution bug means that it gives hackers the chance to do more or less whatever they want after a successful exploit.
Because the bug is so dangerous, vBulletin's developers put together a patch rather quickly. On September 25, four days before the attack against Comodo, fixes for all vulnerable versions were released, and security experts urged everyone to install the patches as a matter of urgency. Comodo wasn't paying attention, and the results are now evident. The company promised to create and follow a strict update policy from now on, and users can only hope that it will keep its word. They can also hope that the next time it has to deal with a security incident, its notices are a bit clearer.
Comodo causes some confusion with its data breach notice
The data breach notice was published on https://forums.comodo.com/ (the forums dedicated to Comodo and its products), and the 425 thousand records mentioned in it belong to people who used that particular forum. The moderator publishing the notice made no attempt to hide the fact that the attackers exploited CVE-2019-16759 in order to steal the data, and this left quite a few people perplexed. As some users quickly pointed out, https://forums.comodo.com/ is built with Simple Machines Forum, another internet message board software that has nothing to do with vBulletin.
The moderators then had to explain that the attackers actually hacked https://forum.itarian.com/, a different forum that is owned by Comodo and is built on vBulletin. Since https://forum.itarian.com/ and https://forums.comodo.com/ are hosted on the same server, the hackers got access to not one but two databases. The one full of https://forum.itarian.com/ users apparently had just over 45 thousand people in it.
Even with the second database, the breach is not particularly horrific. That said, it does expose an unfortunate truth about the current state of cybersecurity. Just like the rampant password reuse among security experts, this incident shows that even the professionals aren't willing to trust their own advice and follow the most basic of security principles.