Firm scrambles to patch vBulletin software flaw By Jonathan Fildes

Technology reporter, BBC News Published duration 22 July 2010

image caption The flaw could allow a hacker to access forum user's personal data

A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data, the BBC has learned.

The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.

This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

The owner of the program - Internet Brands - released a fix on 21 July.

However, at time of writing, many sites remain vulnerable.

The BBC was alerted to the problem by Stuart Wright of audio visual reviews site AV forums, which uses the software for its discussion boards, before the patch was released.

"It is very worrying that they are releasing a product which has such a horrendous flaw," Mr Wright told BBC News.

"I'm really not happy - we rely on this software for our business."

AV Forums has around 300,000 members. It was not using the version with the flaw.

Internet Brands has not responded to requests for comment on the problem.

Simple hack

vBulletin is software that is used to power a large proportion of internet forums and discussion boards on the web.

It was originally developed by Jelsoft and vBulletin Solutions, but was sold to Internet Brands in 2007.

The flaw affects version 3.8.6 of the software, which was released on 13 July.

The simple hack, which the BBC has confirmed, allows even unskilled people to access many websites.

With a few key strokes the person can obtain the administrator's username and password for the website.

This can be used to log in to the site and modify and delete elements at will.

David Ross, founder of Hexus.net, a technology news and reviews website, said the flaw was a "potential nightmare".

"It could allow someone to access all of the user accounts for the site," he said.

This would be useful to a hacker, he said, because it was "good quality information" that had already been verified.

Hexus.net, which has 75,000 registered users, updated their site as soon as they were made aware of the flaw.

Net aware

Internet Brands announced a patch for the problem at 1900 BST on 21 July on its website.

It also sent e-mails to its customers and sent out a message that appeared on the main control panels of individual customers' software.

However, hours before the official announcement, third party firms that provide services to vBulletin were already warning of a problem.

"It has come to our attention that a vulnerability on vBulletin 3.8.6 has been discovered," read one from vBSEO.

"The exploit allows a malicious user to retrieve a forum's database credentials."

It then offered advice on how to fix the problem.

Kier Darby, the former lead developer of vBulletin also issued an alert via Twitter.

However, nearly 24 hours later, many websites are still vulnerable.

Graham Cluley of security firm Sophos said that this could be because firms were testing the new patch.

"If this is a piece of software running on your company website then it is good practice to test it before it goes live to make sure you're not introducing more problems," he told BBC News.

However, he said, firms should plug the flaw as soon as possible.

"If the provider of the software says there is a issue with it, they have flagged it up to the entire internet," he said.