Recently our Twitter account was compromised and there have been questions in the community about what happened. We’d like to take some time for a short explanation of what happened.
On January 27th, a MyBB group team member’s account was compromised, as well as his personal website. We had unfortunately been storing out Twitter account password in plaintext in a thread. The attacker found the password and changed the email & password of the @MyBB twitter account and began to post offensive messages. IPs of staff members were also released during this time, as well as installation statistics. Within two hours, we had isolated the breach and banned the staff member’s account to prevent any further purusing of private data. The staff member in question does not have access the the Admin Control Panel, so no private user data was accessible. We have no reason to believe any other information was accessed. The staff member is currently on a leave of absence related to personal issues not related to MyBB.
We immediately contacted Twitter and Chris talked to a former co-worker who works at Twitter to escalate the ticket. The hacker’s access to the account was locked, and Twitter began to investigate our claim to the account. The issue was quickly sorted and we regained access.
There was also recently a thread posted on TheAdminZone with screenshots of the 2.0 GitHub repository. The poster claimed to be selling the 2.0 source code. The code the user had was simple the initial commit of Laravel into the repository, none of the actual 2.0 code was present. As for seeing some of that 2.0 code, watch the blog over the next few days!
At MyBB we have a strong commitment to security. All staff with ACP access use a secret PIN, a form of 2FA. We release patches to any serious issues usually within hours of them being reported. We have Two Factor Authentication enabled on our staff email accounts and Github, and are actively working on getting 2FA for our other development tools. Security is a process, as former staff member Nathan Malcolm, now of @sintheticlabs, says. We continue to improve our processes and incorporate more secure policies and features.
Recently we have been made aware of several MyBB plugins circulating around the internet, in particular pirated mods, which are specifically designed to cause malicious harm to their users. One specific example which has come to our attention attempts to delete all the records from your database, and delete your MyBB files. This would obviously have a devastating impact on anyone who happened to install this plugin.
We’d like to remind users of the immense power plugins have which, when used incorrectly, could pose security implications for your forum. Theme files also can contain backdoor PHP scripts which can grant access to your server. Therefore, great care should be taken both in terms of which plugins are installed and where the modifications were obtained from. Specifically, nulled or pirated mods pose the biggest threat of all given that the origin of the file is unknown and any sharer could have inserted malicious code.
Even when downloading mods directly from the author we recommend thoroughly researching both the plugin/theme and the author to establish that they are reputable and have a good standing with their customers and users.
If you have any further questions, concerns or examples please don’t hesitate to contact us via the Private Inquiries forum.
Regards, The MyBB Team.
We’d like to inform you that two security holes were found in two plugins which are very common on multiple MyBB forums out there. The affected plugins are the following:
[ SEO ] Simple Tag Cloud Plugin (Tags) by Watt
FBConnect (not available on our Mods site) by Nayar
The first was unapproved and a PM was sent to the plugin author and until the author fixes the issue it will remain unapproved on the Mods site.
The second has been updated already and the issue has been fixed. If you’re looking for the fixed version, it is available on the author’s website as well as on the MyBB community forums here.
We strongly advise you to remove the first plugin entirely from your forum and either remove the second one or install the fixed version.
We also recommend you to do the necessary searching for any data that may have been compromised.
On a side note, numerous “exploiting scripts” have been spreading throughout the internet which refer to these two vulnerabilities as if they were vulnerabilities in MyBB itself and that is not true.
There are many things you can do to keep your MyBB Installation secure – the below list contains 5 basic ways to make sure your MyBB Forum is as secure as possible. I’ve tried to keep it as simple and concise as possible. Leave a comment if you don’t understand and we’ll clarify.
- Keep your MyBB Software Up-To-Date – Always make sure your running the latest version of MyBB. Using the Version Check tool from your Administration Control Panel you can always check for the latest version of MyBB and latest announcements.
- Sign up to the MyBB Mailing List – By signing up to the MyBB Mailing List you can receive notification of important MyBB updates and releases, allowing you to update your forum in a timely and fashionable manor.
- Rename your “admin” directory – Renaming your admin directory to something else will greatly reduce the risk of someone being able to hack their way into you Administration Control Panel.
- Using an FTP Program navigate to your forum directory.
- Find the ‘admin’ directory and rename it to something less obvious. If you want to be really secure you can use an online program to generate a name for you. For example: http://www.pctools.com/guides/password/
- Now that you’ve renamed your admin directory we need to update the configuration file so MyBB knows what it is called. Navigate to your ‘inc’ directory and open up config.php using a Text Editor such as WordPad.
- In config.php Find:
$config['admin_dir'] = 'admin';
- Replace with the new admin name (where admin-name is the name of the new admin directory you set):
$config['admin_dir'] = 'admin-name';
- Save the file on your server.
- Backup Regulary – Backing up your forum regularly is the best defense you can have against hackers. At least once per week! MyBB Offers a Backup solution in the Administration Control Panel under Backup Database. For more information and alternative ways see our wiki: http://wiki.mybboard.net/index.php/Database_Backup. (Note: MyBB 1.4 allows for automatically backing up your database.)
- Keep MySQL, PHP, and Apache Up-To-Date – Hackings of your forum aren’t always caused by exploits in MyBB. Often hosts are running months old versions of MySQL, PHP, Apache, and even other programs and extensions riddled with security exploits. If you find your host is running an old version urge them to upgrade as soon as possible. If you own your own server you can respectively find updates at http://mysql.com, http://php.net and http://www.apache.org.
We’ll have another, more technical blog post on security for all of you IT pros (or in training, of course) later on.