1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New vB exploit

Discussion in 'Off Topic' started by Brent W, Dec 1, 2012.

Thread Status:
Not open for further replies.
  1. Brent W

    Brent W Well-Known Member

  2. DRE

    DRE Well-Known Member

    lmao @ Zachery 'I ain't paying $1000 for that shyt'
  3. Brent W

    Brent W Well-Known Member

    Wayne Luke was even more hilarious with his comment about it being passed down to consumers. I wonder if IB's lawsuits are being passed down to consumers as well?
  4. ManagerJosh

    ManagerJosh Well-Known Member

    The irony of it all is Wayne calls it blackmail when it's not uncommon for the big boys like Google, Microsoft, and a few others to pay a bounty for the flaw itself.
    Luke F and Adam Howard like this.
  5. Mac

    Mac Member

  6. Chris D

    Chris D XenForo Developer Staff Member

    It's good to know Internet Brands values the security of its vBulletin customer's boards at below $1,000.

    The whole thing reeks of irresponsibility.

    a) Why hasn't that thread been hidden? They're aware of the potential exploit, that thread is only serving to make more people aware that there is a potential exploit. It's only a matter of time before someone DOES buy it, and boy will people have red faces when vBulletin.org and others get hacked as a result.

    b) It is tantamount to blackmail, but regardless it's a small price to pay even to prove something as false. At least they can then publicise that it's false and put their customers peace of mind at rest.

    What an awful company with a **** attitude.
    Goodspeed, Adam Howard and tenants like this.
  7. tenants

    tenants Well-Known Member

    Are vB MD5 encrypted passwords salted ? (I know XenForos are) ...
    Storing passwords as just MD5 is asking for trouble.

    <agree with chris.. in that threads like that should be hidden>

    I'm not sure about the black mail part...
  8. Ingenious

    Ingenious Well-Known Member

    Not sure I agree with all of the above. You can't justify spending even $1 just because some criminal claims to have an exploit because where does it end? You'd be paying out money to anyone who claims an exploit whether it's true or not. And as vB staff have said, it's blackmail in effect, it's like paying a ransom, isn't this just supporting the criminals and hackers?

    This is just picking another reason to "bash" vB and their staff, I thought we weren't doing that in this forum anymore?
  9. dutchbb

    dutchbb Well-Known Member

    I have to agree with Ingenious as I have experienced a similar situation. Our server got hacked in some way and the hacker offered to 'help' for x amount which we denied. Although it's not exactly the same as an exploit, I think it's still a bad idea to consent with such practices. It only encourages this bad behavior in the future.

    Now if they would approach vB in a different way, like legitimately offering their services to improve security in general that would be different.
  10. Adam Howard

    Adam Howard Well-Known Member

    While on the topic of security.....

    IPB also known as IP Board has a total of 9 critical security flaws and 13 non critical.

    People have been.... busy .... Looking for things.

    Invision Power Services Inc (IPS) developers of IPB / IP Board to the best of my knowledge will not settle in order to resolve issues either. Something they have in common with vBulletin / Internet Brands Inc.
  11. ManagerJosh

    ManagerJosh Well-Known Member

    Isn't it a bit pretentious to assume the person selling the exploit is a criminal?
  12. Slavik

    Slavik XenForo Moderator Staff Member

    The best way is to offer predefined rewards for finding an exploit depending on severity and full disclosure. This encourages quality coding and QA from the get go, as well as encouraging disclosure of exploits as if you find an exploit and don't tell anyone, someone else might beat you to the reward.
    Alien and Chris D like this.
  13. karll

    karll Well-Known Member

    I'm pretty sure they were for versions 3.x at least, so presumably later ones as well.
  14. ManagerJosh

    ManagerJosh Well-Known Member

    Both vBulletin 3, and vBulletin 4 have uniquely salted hashed passwords.
  15. karll

    karll Well-Known Member

  16. craigiri

    craigiri Well-Known Member

    There are talking points and then there is the real world. Everyone likes to say "don't negotiate with criminals or terrorists", but then they do. Everyone does.....the FBI, CIA, Justice Department, etc.....

    What would it have cost IB in testing to discover such a flaw? My guess is quite a bit.

    Here is a real world example. Our local sports org had a URL like myaa.net, because someone had purchased the .com - they were a domain squatter in FL who then put the worst Porn pics up on all their sites.....

    They did it ONLY so local town would be horrified and then buy the domains! Most all local sport leagues have the "aa" in them for athletic association, so this dude bought thousands of them.

    The price was $3K. I remember having a long conversation with our local Police Chief about it. Long story short - they paid the 3K.

    You can pay the ransoms and then work harder on security so you don't have to do so in the future.
    Ingenious likes this.
  17. Ingenious

    Ingenious Well-Known Member

    It's an assumption on my part, certainly. I am assuming that people who exploit software and then try and sell the exploits, are criminals. I don't know how those actions could be taken as "for the good". Maybe we need a "Hug an exploiter" awareness campaign then if these people are actually working towards world peace?

    It's quite different than a corporation offering a bounty for bringing exploits (privately) to the table in the framework Slavik describes.
  18. ManagerJosh

    ManagerJosh Well-Known Member

    There are legitimate security researchers out there who do sell exploits back to the developers for a living. I have a friend who does that and has made quite a bit of money off it.
  19. Adam Howard

    Adam Howard Well-Known Member

    Look at it this way....

    When you code an add-on you do so for the profit. That profit maybe money or maybe the joy of doing good for others. However the case, the price is set at your own value and it is not criminal.

    Finding exploits and reporting them falls under those same principles. You may not want to think of it that way, but it is that way. Period.

    XenForo I help debug for free. Because we see a personal value of "profit" in the joy of doing good for others who use XenForo and the development team.
  20. Digital Doctor

    Digital Doctor Well-Known Member

    I heard it was down to $400.
Thread Status:
Not open for further replies.

Share This Page