Account data belonging to more than half of all Comodo Forums users has been stolen and is now traded online. The breach was possible by exploiting a vulnerability in the software that powers the forum.
Comodo today published a security notice informing users that an intruder may have gained access to the forums database.
"Very recently a new vulnerability in the vBulletin software, which is one of the most popular server applications for website comments including the Comodo Forums, was made public," the notification begins.
The bug in vBulletin is critical, being extremely easy to leverage. Details were made public a week ago but exploit brokers had known about it for three years.
Since the exploit code was published, attackers started pounding vBulletin-powered forums. One botnet even secured the servers after compromising them by modifying the vulnerable code so that command execution required a password.
Comodo notifies its forum users
According to the announcement from Comodo, an attacker exploited the vBulletin security flaw on Sunday at 04:57 AM EST; their action resulted "in a potential data breach on the Comodo Forums."
The investigation is in an early stage and efforts are being made to determine what data has been accessed.
The Comodo Forum is powered by the open-source Simple Machine Forum software but vBulletin is used on another board dedicated for product updates and discussions, which has far fewer members. ITarian forum, also by Comodo, has 45,300 users and is on vBulletin. They published a similar announcement and the same recommendations.
"User accounts on the forums contain information such as username, name, e-mail address, last IP used to access the forums and if used, potentially some social media usernames in very limited situations." - Comodo
The notification says that all passwords were stored in encrypted form but forum users are recommended to change them, as a precautionary measure.
Filling in the blanks
On a site where users exchange and sell databases from breach or leak incidents, someone offered a dump that contains at least the password, email, and username of over 170,000 Comodo Forums users. According to Comodo, their forums have around 245,000 registered users.
The individual advertising the database specifically says that the dump is from Comodo's discussion website running on the Simple Machines Forum (SMF) software and that the data was fresh, from September 29. They also say that the passwords are hashed using MD5 algorithm, which is not only highly vulnerable but also very easy to crack and find the original string for the hash.
BleepingComputer received a sample of the database and was able to verify that it was genuine. Most of the users in it were inactive Comodo Forums members, but one of them is an active user and confirmed an email address we provided as being theirs and used on the forum, as well as other details.
The full extent of the user details available in the database is unclear but the sample seen by BleepingComputer included the following:
- ID
- name
- country
- IP address of the last login
- password and its salt
- provided birth date
- security question
- hashed security answer
- registration date
- messenger usernames
- total time logged in
Some of the information was present only for the users that provided it.
BleepingComputer contacted Comodo for clarification regarding the forum that was breached. We will update the article when we have the new information.
h/t Breach Radar
Update [10.01.2019]: Someone more familiar with the incident told BleepingComputer that the initial breach occurred on the ITarian forum by exploiting the vBulletin vulnerability. From there, the attacker somehow managed to get access to Comodo's SMF-powered forum - one theory is that they used stolen credentials.
A Comodo representative clarified for BleepingComputer that the company has forums powered by both vBulletin and SMF that share a segmented network zone and the same servers. This enabled the attacker reach user data from the SMF forum after compromising the vBulletin-based forum. We were told that no other systems were accessible.
Comments
the_moss_666 - 2 years ago
I think "hashed security answer" is the most useful (and most interesting) leaked information. These answers are weaker than passwords and are almost exclusively names, dates, colors, cities or schools. These answers are also static and are used on multiple websites or services. You can't change your mother's name as often as you can change your password :-D
Perfect dictionary attack targets.
chilinux - 2 years ago
From what I can tell, the Simple Machines Forums moved from using MD5 hashed passwords to SHA-1 hashes back in 2005. After updating to a newer version of SMF, any successful login to SMF should automatically update the MD5 hash to SHA-1. If Comodo is still running a pre-2005 version of SMF, then there may be several known CVEs related to SMF left unaddressed by them.
Comodo seems to use a vendor model of over promise on security and under deliver on security. Comodo's Advanced Endpoint Protection was stated to me as providing "100% protection." The Comodo site inspector product is literally called "HackerProof." Their website promotes a Comodo E-Book called "Preventing Breaches by Building a Zero Trust Architecture." But where was the 100% protection, hacker proofing and zero trust architecture for Comodo's own forums? Does this breach mean the Comodo Dragon Platform does not work or that protecting forum member personal information wasn't important enough for Comodo to use the Dragon Platform?
It would have also been nice if Comodo used the security skills they claim to have to further improve the security of SMF. It shouldn't be hard to develop 2FA support for the open source SMF code. SMF is fairly cleanly written PHP code. Yet Comodo just didn't do that.