phpBB

An unknown attacker has compromised download links for the phpBB forum software, according to a statement released today by the phpBB development team.

The hacker compromised only two downloads links, for the phpBB 3.2.2 full package and the phpBB 3.2.1 -> 3.2.2 automatic updater. This is phpBB's latest version, released on January 7, this year.

Download links compromised for only three hours

The compromised download links were live only for 181 minutes, between 12:02 PM UTC and 15:03 PM UTC on yesterday, January 26.

The phpBB team did not reveal exact details of how the attacker managed to poison the download links, and only said:

The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.

phpBB staff removed the links to the malicious files as soon as they were discovered. They said the download links pointed off-site to malicious versions of the original phpBB files that also contained additional "malicious code."

"The malicious code in the modified package attempts to load JavaScript from a remote source," Michael Cullum of the phpBB Management Team told Bleeping Computer in an email. "At this time, we are in control of the domain names that would be hosting that JavaScript, rendering the code harmless."

"We are actively working with the third-party to investigate the attack vector utilized in the intrusion and will provide more information as it becomes available," Cullum added. "We can again confirm that neither our servers, nor the phpBB software, were exploited during these events."

Less than 500 users downloaded the malicious phpBB packages

"Due to our infrastructure team’s ability to respond swiftly, the malicious packages were only in place for 3 hours," Cullum told Bleeping Computer. "This period was likewise one of the quietest periods on our website for downloads. Based on our calculations, we estimate the total number of affected downloads does not exceed 500. We expect a far smaller number were utilized in a production environment."

Cullum said the phpBB team is still investigating and will publish more details once they know more.

"Our main priority at this time is to be as thorough as possible in our investigation to fully ensure the safety of our users," he said. "It is always our policy to inform the community at the earliest opportunity and then provide continuing information as we are able to ensure its accuracy."

Download links are currently safe

Users who downloaded phpBB 3.2.2 packages on Friday are advised to verify the SHA256 file hash of the file they downloaded against the one listed on the phpBB official downloads page.

"The downloads currently available on the downloads page are safe," the phpBB team said.

"If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code," phpBB developers said.

phpBB is a very popular PHP-based discussion board, currently in use on 0.2% of all sites on the Internet, according to W3Techs.

This is not the first time when the official website of a popular software is hacked to distribute malware. Hackers previously breached the website of the Elmedia Player to distribute the Proton RAT, the website of the HandBrake transcoder app to distribute the same Proton RAT, and the website of the Transmission BitTorrent client twice to distribute the KeRanger ransomware, and later the Keydnap infostealer malware.

UPDATE [January 28, 05:40 ET]: Article updated with comments receveid via email from Cullum.

Related Articles:

New Sextortion Scam Pretends to Come from Your Hacked Email Account

Naughty Hacker Steals $38k from SpankChain CryptoCurrency

Feedify Hacked with Magecart Information Stealing Script

Vodafone Tells Hacked Customers with "1234" Password to Pay Back Money

Critical Flaw Fixed in Packagist, PHP's Largest Package Repository