Ubuntu logoThe company Canonical has published a report with details of the recent hacker attack on the Ubuntu forums, which resulted in the attackers took control of the credentials of the 1.8 million users.

“On July 14, 2013 the malefactor managed to get access to the account of one of the forum moderators. This was a moderator right to post on the forum announcements, which may contain HTML-code “, – the report says.

Swindler posted on the forum announcement with malicious JavaScript-insert, and then sent private messages to three forum administrators, reporting the alleged server’s error on the page of announcements. One of the administrators decided to check the announcements page, found nothing suspicious and said false moderator personal message. Subsequently, an attacker logged on as an administrator, having received full access to the ambiance of vBulletin.

As it was established Canonical, hosted by the announcement of scams they implemented XSS-attack and were able to intercept “cookies” to all visitors.

Next, using the opportunity to add handlers to the control panel, the attackers were able to organize the execution of arbitrary PHP-code, which allowed to run any command on the server with the user «www-data». Attack was made on July 14 and found July 20, after an attacker executed deface a website.

In order to prevent the commission of attacks in the future, Canonical has audited the organization of the forum and changed the settings for the benefit of maximum security and isolation (for example, banned the installation of handlers in the control panel and insert HTML not allowed in advertisements, for moderators and administrators for compulsory use of HTTPS, forum engine limited means AppArmor).

Authenticate on the Ubuntu Forums switched to use a centralized service Ubuntu Single Sign On. Since the hashing algorithm used outdated MD5 (with salt), all previously existing user passwords were reset, but instead generated a new random passwords, instructions on the use of which was sent to users by e-mail.

For more details, check out the blog post.