Your web communities are an important way to engage your customers and solicit their feedback, but web forums are yet another website to secure, another potential entry point for attackers.
A recent data breach shows just what can happen when community forums are left vulnerable.
Canonical, the developer of the open-source Ubuntu operating system, announced last Friday that a database for its community forums had been breached, with 2 million usernames, hashed passwords, email addresses and IP addresses stolen by a hacker.
Canonical said in a blog post that the breach was limited to a “user” database, and no Ubuntu code repository, update mechanism, or any other databases or services, had been compromised.
It’s the second time in the past three years that the Ubuntu Forums have been breached – back in 2013, 1.8 million usernames and email addresses were stolen in a hacker attack.
How did this happen?
According to Canonical’s investigation, the hacker was able to access the user database through a known vulnerability in the forum’s content management system (CMS), which had an available patch.
The hacker exploited a SQL injection vulnerability in an older version of Forum Runner, an add-on to the vBulletin CMS.
Although we’ve known about the threat of SQL injection (or SQLi) for many years, it is still the most common web application security hole, according to the Open Web Application Security Project (OWASP).
That finding is backed up by Veracode scanning data. In our scans of more than 50,000 applications between 2012 and 2014, more than 1 in 5 apps (20.2 percent) had at least one SQLi vulnerability.
For its part, Canonical closed this particular SQLi attack vector, by updating the Forum Runner add-on to its most recent version. Canonical said it is also deploying a web application firewall and has “improved our monitoring of vBulletin to ensure the latest security patches are applied promptly.”
Unfortunately for the 2 million Ubuntu Forums users, although their passwords were apparently stored securely, the data that was stolen could still potentially be used in phishing attacks against them or their employers.
Businesses increasingly rely on web applications to power innovation and increase efficiencies, and the majority of business apps are from open-source or third-party sources.
Keeping all those apps up-to-date with the most recent versions is a tall order for stretched IT departments and security teams.
Another option is to engage an outside application security specialist who will work with all your software vendors on your behalf to test and remediate their code.
The bottom line is you don’t want to leave your security in the hands of your software vendors. In the case of the breached Ubuntu Forums, it’s Ubuntu developer Canonical who is taking heat from users and in the media, not the web application vendor.
If you’re ever unfortunate enough to get hacked through a flaw in your third-party software, who do you think your customers will blame?