Close Topic Options

Some of you probably noticed the board was being hacked on Monday night around 9:10 PM Pacific Time (August 1st, 2005) and yesterday afternoon around 3:55 PM Pacific Time (August 2nd, 2005) The hacker's intention was to get my attention in fixing a security loophole. Basically, it was a vulnerability only found in Invision Power Board 2.0.4 and older version. It is alleged that due to a SQL injection vulnerability, it is possible for attackers to hijack other user accounts. According to securityfocus.com, this security loophole is called Invision Power Board SQL Injection Privilege Escalation Vulnerability, attackers can exploit the fact the board does not check the the incoming cookies and with a few modifications on the request header, one can log in as another member without even knowing their password.

The hacker simply logged in my account and gained full administrative access to the Admin CP. After speaking with the person who was in charge of the hacking over ICQ, I found out he did not mean any harm to the forums. Instead, all he wanted was to show me how easy it is to hack in the board exploiting that security loophole mentioned above. He did apologized for the second hacking incident happened on yesterday afternoon. I admit what he did was crossing the line, but the intention was meant no harm. I am grateful that he did not damage or remove any data during the incident, because let's face it, it could be a lot worse if it was somebody else. And I mean it when I say a lot worse.

Clarifications: The loophole has been fixed with a patch, similar incidents will not happen again. No data was lost during these incidents. I apologize for any inconvenience you may have experienced.

I've seen on such innocent shows such as "This Morning" shows have a police officer come on their show and find women who leave their purses or men who leave their wallets vulnerable to theft and the officer took 1 mans wallet and 1 womans purse, then later went up to them and told them what they did wrong and how to fix their mistake. IMO this is exacly like that, except the hacker's re-arranging would be like take a dollar bill from the people and getting a Coke. I don't exactly think he crossed the line but I will admit he was poking some toes over it by screwing with the forum arrangement. Oh shwell. These are the hackers I like. They hacked for good reasons I think, to show us something we needed to fix or else someone more malicious (I <3 this word) would come in, use the exploit and do harm to the forum.

But all in all, it's not another Fish Bowl and it's all over with.

This post has been edited by eightsixdrifter9 on Aug 3 2005, 05:21 AM

I still stand by the fact that they messed with crap in the first place, including member titles, signatures, forum arrangement, global forum title, forum list, and Staff Forum permissions.

Yes, it's lovely that he wasn't a truly malicious hacker. Yes, it's lovely that he got rid of all the damages and applied the patch.

But as I said to him myself, that does not erase the fact that he hacked the board and screwed with it rather than just posting a thread in Staff Forums about the vulnerability, proving that it's there. I'm not going to sit here, nod my head, pat him on the back and say "good job" because I'm afraid of him coming back and doing worse or anything like that. No way.

I cannot agree with his methods. But at least we're back to full operational status.

Yes, I'm just glad it wasn't that 'Fish Bowl' crap again....lol