vBulletin software flaw?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin software flaw?

    http://www.bbc.co.uk/news/technology-10714192

    According to this article, there is a flaw in the VBulletin software (that is used to power this discussion board) that was apparently fixed on July 21, see:

    http://www.chesstalk.info/forum/newt...=newthread&f=2
    ...Mike Pence: the Lord of the fly.

  • #2
    vBulletin Software Flaw?

    Originally posted by Kerry Liles View Post
    http://www.bbc.co.uk/news/technology-10714192

    According to this article, there is a flaw in the VBulletin software (that is used to power this discussion board) that was apparently fixed on July 21, see:

    http://www.chesstalk.info/forum/newt...=newthread&f=2


    I knew there had to be a reason for all the meanness on this board recently!

    Comment


    • #3
      Re: vBulletin Software Flaw?

      First of all,

      The flaw affects version 3.8.6 of the software, which was released on 13 July.
      We use a far older version so we're good.

      Secondly, the article is full of nonsense. Such as the part about you being able to obtain the administrator's password. vBulletin stores the passwords in encrypted form, encrypted using the password itself as a key. That means that it would be virtually impossible for anyone (Except maybe the NSA?) to decrypt the password as stored in the database. That's just one example.
      Christopher Mallon
      FIDE Arbiter

      Comment


      • #4
        Re: vBulletin Software Flaw?

        Originally posted by Christopher Mallon View Post
        Secondly, the article is full of nonsense. Such as the part about you being able to obtain the administrator's password. vBulletin stores the passwords in encrypted form, encrypted using the password itself as a key. That means that it would be virtually impossible for anyone (Except maybe the NSA?) to decrypt the password as stored in the database.
        No one can possibly be that naive!

        Comment


        • #5
          Re: vBulletin Software Flaw?

          Sorry, I should have qualified that statement.

          That is assuming that the admin of the forum isn't dumb enough to use a common-word password that is in the MD5 decryption database. But the article makes it sound like just anyone could accidentally get the admins password and that is not correct. For example, a typical common password such as... "password" would show up as 5f4dcc3b5aa765d61d8327deb882cf99

          Mine for instance is a 25 character alpha-numeric-symbolic code that appears to be totally random. So yes we did get hacked once, but that was through another method, not password stealing and we have a safer version since then.
          Christopher Mallon
          FIDE Arbiter

          Comment


          • #6
            Re: vBulletin Software Flaw?

            Oh and incidentally people, don't go testing at the site to see what your actual password would look like in MD5... all that does is ensure that its encrypted form IS in their database.
            Christopher Mallon
            FIDE Arbiter

            Comment


            • #7
              Re: vBulletin Software Flaw?

              Originally posted by Christopher Mallon View Post
              Sorry, I should have qualified that statement.

              That is assuming that the admin of the forum isn't dumb enough to use a common-word password that is in the MD5 decryption database. But the article makes it sound like just anyone could accidentally get the admins password and that is not correct. For example, a typical common password such as... "password" would show up as 5f4dcc3b5aa765d61d8327deb882cf99

              Mine for instance is a 25 character alpha-numeric-symbolic code that appears to be totally random. So yes we did get hacked once, but that was through another method, not password stealing and we have a safer version since then.
              You are still being impossibly naive. Hacks to crack passwords like that have been around for decades and anyone who really wants one (I don't) can get one easily and for free. Yeah, a dictionary attack will take a little bit of time, but it's just cpu time.

              Anyone who really wants to crack the kind of password you are speaking of can do so. Especially today when any desktop system outperforms the old Cray supercomputers of the 1980's.

              Comment


              • #8
                Re: vBulletin Software Flaw?

                The article basically said that anyone could stumble upon the admins password. That is incorrect. What's your point?
                Christopher Mallon
                FIDE Arbiter

                Comment


                • #9
                  Re: vBulletin Software Flaw?

                  Originally posted by Christopher Mallon View Post
                  The article basically said that anyone could stumble upon the admins password. That is incorrect. What's your point?
                  That your reasons for saying so were wrong, and obviously wrong. And still are, in my opinion.

                  Comment


                  • #10
                    Re: vBulletin Software Flaw?

                    That's okay, lots of disagreement happens here. Now if we were having this discussion as Americans, we'd be in big trouble. Depending on who is interpreting the law down there, could get in trouble just for talking about how to break through vulnerabilities
                    Christopher Mallon
                    FIDE Arbiter

                    Comment

                    Working...
                    X