AVAST forums hacked ... 400.000 user credentials stolen [Merged]

Just to inform any avast! users out there.

Kind regards, REBOL.
Mod edit: Added merged to the topic title, Captainsticks.

Please note:

Assumedly they’ve been using SMF version 2.0.6 when the attack happened,

whilst our beloved Comodo forum is using version 2.0.7.

So let’s hope the updated version is really more secure. Please keep an eye on that, Comodo! :slight_smile:

Kind regards, REBOL.

I think the forum here should only be loaded over secure connection (SSL).

Why do you think so, jhkmaster? ???
Do you really think that’ll make (y)our connection(s) somewhat more “secure”? :o
Please excuse me if sounding somewhat naive. :embarassed:

Kind regards, REBOL. :slight_smile:

Stay cool, I just put a wish to see the forum loading by default on a secure connection. :-TU
I’m not here to judge or to audit, but validation and integrity are also not valid points in information security?

Why this is important?
Hmmm…
Malwarebytes Forum SSL = on
McAfee Communities SSL = on
ESET Security Forum SSL = on

but the question is: why not? :stuck_out_tongue:

This has got to be extremely embarrassing to a company that is in business to protect against these sorts of things. I wonder how many users they have lost because of it.

Hi Dch48,
This is not the first time and will not be the last and this goes for any site/forum, not just Avast.
Unfortunately nothing is 100% secure and I personally hope it doesn’t harm their reputation.

Kind regards.

Of course but it still has to be embarrassing.

Step 1: Just add an s after http in the URL et voilà, you are using, not SSL, but TLS¹ (1.2). :slight_smile:

Step 2: If you use Dragon, use Force Secure Connections, and Dragon will always use the secure connection. If you use Chrome, go to chrome://net-internals/#hsts and add forums.comodo.com.

But I agree with you. HSTS should be enabled on the server.

¹ Why SSL (Secure Sockets Layer) was renamed (15 years ago 88)) to TLS (Transport Layer Security) when it was standardised: Tim Dierks: Security Standards and Name Changes in the Browser Wars

Thanks for the information :-TU
I just want to see at any time the forum starting with secure communication (with all necessary standardization) by default. :wink:

https://forum.avast.com/ PWNED :o

400.000 user credentials have been compromised.Well thats a bye bye to avast from me

Hi,

It’s not the version. There is no security patch from 2.0.6 to 2.0.7.

Please check “In response to Avast’s recent hack” topic which you can find here:

Thank you.

Merged topics.

In response to Avast's recent hack « on: May 28, 2014, 08:48:22 AM » (UPDATED the post and locked the thread, pending analysis of the data)

As you may have heard, several days ago, Avast, a company known for its popular antivirus and related security software, had its forum site hacked. Avast was using SMF as their forum software as they have done for several years now. When we heard, we immediately attempted to contact the Avast staff so that we could provide assistance and, more importantly, analyze the vector of the attack.

Unfortunately, they have not been particularly forthcoming in working with us (to this point), and have indeed accused Simple Machines of a number of things. While we understand that Avast is looking to preserve its standing in the web world and looking to lay the blame at any one else’s doorstep, aside from their own, we are concerned and upset over the unfounded accusations they have leveled. We take the security of our software very seriously at SMF. (Indeed, we have one of the best records of all open source forum softwares for security and for quick and effective patching of reported security issues.)

Without getting into any retaliatory accusations or attacks, let me address the issues as presented:

1- Avast claims to have been running SMF v2.0.6. We know of NO vulnerabilities in v2.0.6, and none have been reported to us.
1a- The site image taken by Google shortly before the hack indicates a copyright of 2012 on their SMF installation. This suggests to us that they are not being fully honest with their statement, since the last version of SMF to use a 2012 copyright date was 2.0.3.
(correction added: 2.0.3 used (c)2011. 2.0.4 used (c)2013
- since Avast clearly shows (c)2012, we can confidently state that they were not applying the full SMF approved patches from version to version and that whatever they were doing to patch their system was done by them, possibly manually)
1b- We know that the Avast installation was not a default installation and that some personal modifications had been made to their installation.

2- Avast claims that they have received notification from a blackhat site that there is a security vulnerability allowing RCE (Remote Code Execution) in 2.0.6. They have so far, been unwilling to share the actual vector or logs for us to confirm.
They just shared the site/link which they claim shows the vulnerability. Unfortunately, despite their claims, the “vulnerability” listed on that site is nothing of the sort. It CLAIMS to allow the arbitrary execution of any php code, but it is incorrect (and can be quickly proven to be so). Although it might LOOK dangerous to anyone who is not familiar with code, it is not possible to use that code in the way the “blackhat” author suggests. Given the fact that we expect the Avast team to be familiar with coding, at this time, we have to assume that this is yet another attempt to pass the blame with no actual evidence or support.

3- (We find this particularly troubling) Avast claims that Simple Machines released an undocumented and silent security patch in 2.0.7 which addressed the 2.0.6 issue that they note. We vehemently deny this accusation. 2.0.7 was released with a few minor bug fixes and the main update that was intended to address the preg_replace /e function which was deprecated in PHP 5.5. We have stated, over and over, that there was no security update in 2.0.7 and have even gone so far as to tell people that, if they are not using PHP 5.5, there is no need to upgrade to 2.0.7. We recently criticized a certain other software for releasing a silent security update without informing their users that the upgrade was required to be safe. We would not do that. We did not do that. We invite ANYONE to do a differential compare of the 2.0.6 code against the 2.0.7 code and point out where this supposed silent and undocumented security patch was done.

4- Avast claimed that they are working with us. As I stated above. We approached them, eager to help and work with them to discover the vector of the attack. They not only refused to give us any information but immediately started accusing us of being the vector. — Shorty before the release of this statement, we received the first real communication from them. At this time, Avast is now communicating with us, somewhat, after we approached them again, but so far, we have not received any usable information so that we may analyze what exactly occurred. We will update this should the situation change.

5- Unfortunately, as happens, some news agencies have picked up on the rumor, innuendo and accusations thrown about by the Avast team and the members of that community, and have concluded (and reported), without any real evidence, as if those statements were the truth.

We assure our community and anyone using our forum software that we have been unable to find any true vulnerabilities in SMF v2.0.6 or v2.0.7.

There are many things to speculate on and I can suggest several possibilities of ways that the hacker could have gotten access to the Avast system without any vulnerability in SMF’s code. I will, however, refrain from throwing out counter accusations or wild speculation until more information is available.

Despite the above, we invite the Avast webmasters to contact us further (either Kindred, who is the Project Manager of the Simple Machines Forum project, or CoreISP, who is the President of the Simple Machines corporation and the head of our server group). We are still willing to work with them to find the actual vector and will work quickly release a patch (and our apologies) if we find that the SMF code was, in any way, the vector of the attack. However, at this time, we have seen no evidence to support or even suggest that there are any vulnerabilities in SMF versions 2.0.6 or 2.0.7. Additionally, if ANYONE has ANY information on a potential security issue in the Simple Machines Forum software, you can report it to security@simplemachines.org. ALL reports made to that address are reviewed and considered by the Developers, the Project Manager, the Server Team and members from the rest of the teams. As I stated above, we take our security record seriously.

Most of all, we wish that the Avast team and community refrain from throwing further accusations and attempting to damage the reputation of Simple Machines Forum without clear evidence and proof that they are willing to submit for review.

Avast has declared their intention to move to a different software for their forum, and that is their right. While we hate to see them leave our community of users, I do challenge them to actually find any open source forum software with a better security record or a more responsive team.

Kindred
Project Manager, Simple Machines Forum
Director, Simple Machines

UPDATE:
Avast is now working WITH us to analyze the server logs and the code from the server to determine the vector and the payload of the attack.
Once we are out of the realm of supposition and guessing, and have some evidence, we will put together a clear statement on our findings.
« Last Edit: May 28, 2014, 05:44:23 PM by Kindred »
Logged
Please do not PM, IM or Email me with support questions. You will get better and faster responses in the support forums. Thank you.

COMODO forum’s imprint does read (just scroll to the bottom of this page):

Powered by SMF 2.0.7 | SMF © 2001-2006, Lewis Media

:-X :-TD

Could anyone out there (COMODO staff please?) give any further information on that?

Thanks if so, REBOL…

Conclusion,

“Avast Forum Hack - Results of Analysis”