Forum software maker vBulletin is urging users to change their passwords following a recent breach of its networks. The attackers who claimed responsibility for the intrusion say they broke in using a zero-day flaw that is now being sold in several places online, but vBulletin maintains it is not aware of any zero-day attacks against current versions of its product.

On Thursday, Nov. 14, this publication received an email with several screen shots and a short note indicating that vBulletin had been hacked. The attackers claimed they had knowledge of a zero-day bug in versions 4.x and 5.x of vBulletin, and that they had used the same vulnerability to break into vbulletin.com and macrumors.com.

That same day, I reached out to both vBulletin and MacRumors. I heard immediately from MacRumors owner Arnold Kim, who pointed my attention to a story the publication put up last Monday acknowledging a breach. Kim said MacRumors actually runs version 3.x of vBulletin, and that the hackers appear to have broken in using a clever cross-site-scripting attack.

“In VB3, moderators can post ‘announcements’ in the forum, and by default announcements allow HTML,” Kim explained. “The hacker or hackers were able to somehow get a moderator’s login password, and used that to embed Javascript in an announcement and waited for an administrator to load that page. Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts.”

Kim said the attackers in that case even came on the MacRumors forum and posted a blow-by-blow of the attack, confirming that the cause of the breach was a compromised moderator account. Kim said the person who left the comment was using the same Internet address as the attacker who hacked his forum, and that the moderator account that got compromised on MacRumors also had an account with the same name and password on vBulletin.com.

“Stop [blaming] this on the ‘outdated vBulletin software’,” the apparent culprit wrote. ” The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about. 3.x is far more secure than the latter. Just because it’s older, it doesn’t mean it’s any worse.”

On Saturday, Nov. 16, I heard back from vBulletin, which said it had just posted a note urging users to change their passwords, and that the company was not aware of any zero day bugs in its software. vBulletin didn’t say which version of its software was attacked, only that “our staging server was running a wide variety of versions of the software.” The vBulletin homepage says the site is powered by version 5.0.5.

“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” vBulletin’s tech support lead Wayne Luke wrote. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems.”

Interestingly, several individuals appear to be selling what they claim are zero-day exploits in vBulletin 4.x and 5.x, including the attackers who first contacted me on Thursday claiming responsibility for the break-in. That person, using the nickname Inj3ct0r, advertised a copy of the supposed exploit for $7,000, available for payment via virtual currencies Bitcoin and WebMoney. According to this user’s Bitcoin wallet, at least one person appears to have paid for a copy, sending the user 15 Bitcoins on Nov. 15 (when Bitcoin’s value was approximately USD $435 per BTC, according to Bitcoincharts.com).

Perhaps seeing an opportunity to attract (or scam) interested buyers, this guy posted on Friday that he would sell the same exploit for just $200 in Bitcoins. It’s unclear if that sale was for real or a scam, but several buyers apparently thought it worthwhile and cheap enough to verify the claim with a payment, according to this user’s Bitcoin wallet.

Tags: Arnold Kim, Bitcoin, bitcoincharts.com, inj3ct0r, MacRumors, vBulletin, vBulletin zero day, vbulletin.com