Exclusive: openSUSE Forum Breach Exposes Data of 79,500 Users

Following the recent data breach involving Snapchat, another significant incident has come to light. A Pakistani hacker, known as ‘H4x0r HuSsY,’ has reportedly breached the official forum of openSUSE, a Linux distribution sponsored and supported by SUSE. The attack signifies one of the most severe cybersecurity breaches of the year.

The hacker successfully defaced the forum, replacing its usual content with a custom message and potentially compromising the account information of approximately 79,500 registered users. While the forum was still accessible at the time of writing, it was evident that significant breaches had occurred, prompting queries regarding the vulnerability that had been exploited.

This incident mirrors a similar breach from November, where MacRumors’s Forum was compromised using a zero-day exploit related to vBulletin, a widely-used forum software. Notably, openSUSE’s forum operates on the same vBulletin platform, raising concerns about the security measures in place.

Adding to the vulnerability is the fact that openSUSE continues to use an outdated version of vBulletin, specifically 4.2.1, known to possess flaws that allow unauthorized administrator accounts to be created. Although an updated version, vBulletin 5.0.5, has been released that addresses critical issues, the continued use of the older version left the forum susceptible to attack. The hacker likely exploited vulnerabilities within this antiquated software to gain access to the administrative panel of the site.

It appears that the openSUSE team was initially unaware of the breach. Upon notification, efforts were made to contact the hacker for further clarification about the incident. According to the hacker, he managed to upload a PHP shell on the forum server using a private exploit for vBulletin, allowing him to access, read, and modify files without requiring root privileges.

Screenshots were shared by the hacker as proof of his exploit. He asserted that while he claims full access to the user database, he has chosen not to release the database dump, stating that the intention of the hack was merely to showcase security vulnerabilities rather than to inflict harm.

Moreover, the hacker alleged that the latest vBulletin version 5.0.5 might also be susceptible to the same exploit, creating an ongoing risk for numerous forums that rely on this software. Although the openSUSE site administrators acted quickly to remove the defaced page, the hacker utilized this opportunity to demonstrate his exploit by uploading additional files. The broad application of vBulletin across various large forums underscores the urgency for the software’s developers to address these vulnerabilities with priority.

In subsequent communications, the openSUSE team communicated via Twitter, informing users of the ongoing investigation into the defacement and reassuring them that no user credentials had been compromised due to their single sign-on system. However, the hacker has since countered this assertion with shared screenshots indicating access to sensitive data, raising further concerns about the effectiveness of openSUSE’s security measures.

As of January 8, 2014, the openSUSE team formally acknowledged the breach in a blog post, confirming that the database had indeed been compromised but asserting that user passwords were not affected, attributing security to their separate password management system. The breach raises significant questions about the robustness of the vBulletin software and highlights the potential tactics utilized during the incident, likely including initial access through exploitation, privilege escalation to gain unauthorized control, and persistence to maintain access after the initial breach.