XF 2.1 Possible exploit with API

Unique Username

Unique Username

Well-known member
Hello everyone,

My site was hacked apparently due to the API; a hacker was able to get my account information apparently from the API:

The message was
. I sent some javascript to XenForo API call, it checks the validity of your license key. when it fails, if you grab the data before it errors, it'll give you access your actual license key. yours is :

Once you have the key, you can basically call on any of the XF API's to request data.

Is this true?
 
Sort by date Sort by votes
That doesn’t sound true in the slightest, no.

I want to stress, however, had this been true, posting it in public like this wouldn’t have been the smartest thing to do.

If ever you have suspicions of an exploit in XenForo, it should be disclosed responsibly to us privately; preferably via ticket support.

However, it’s important we address some of the reported things here. Can you clarify exactly how you became aware of being hacked? What did the reported hacker gain access to exactly? What did they do while they had access?

The comments of the supposed hacker are confusing. It mentions a XenForo API call - XenForo.com does have an API but that only consists of basic endpoints that do not transmit any personally identifiable information (and certainly nothing from your forum). This does require a license API key which we include in the code, if it were leaked somehow, again, no information can be accessed with it and it can be regenerated by us if needed.

If they are speaking about the built in REST API, this can only be accessed with a valid API key created in your Admin CP. If you had an API key created and it fell into the wrong hands then, indeed, this could be bad news, but the API keys cannot be leaked through the software.

They are called API keys though, not “license keys” as implied. I’d be intrigued to know what key he provided to you and whether it relates to an API key you created at any point.
 
Upvote 0 Downvote
I have spoken with Malcolm further and we have ascertained that the information provided by the alleged hacker in the first post is false. It is true that access was gained to the server, but it doesn't appear to have been through XenForo itself. They seemed to get access via the file system and then to cPanel to get access to the database.

Malcolm is continuing work with his host to establish what happened.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

hanyuwomr
XF 2.2 Reply to thread with API
Replies
2
Views
615
Paul B
Paul B
S
  • Question Question
XF 2.2 Custom Development: Is it possible to create Category and forums via API?
Replies
2
Views
481
Simplilearn
S
A
Possible Problem with reCaptcha 2 Invisible
Replies
0
Views
509
Alfuzzy
A
M
XF 2.1 issues with API and Curl PHP
Replies
1
Views
1K
hanyuwomr
hanyuwomr
MarcoBrassat
XF 2.1 Create conversation with API httprequest
Replies
1
Views
966
Sim
Sim
Top Bottom