On July 14, a hacker stole information on 1,597,717 million accounts from the official forum for Elex's mobile game Clash of Kings, ZDNet reports. The stolen data, which was provided to LeakedSource, including user names, email addresses, IP addresses, device identifiers, hashed and salted passwords, and Facebook data and access token if provided by the user.
According to ZDNet, the hacker exploited a weakness in the forum's outdated vBulletin software, which dates back to late 2013 and includes several easily exploited security flaws. "At this point, any unpatched vBulletin 4 forum with over 100,000 users is probably hacked," a LeakedSource member told ZDNet.
Tripwire senior security researcher Travis Smith told eSecurity Planet by email that exposing a vulnerable application like vBulletin to the Internet is like walking down the hall with a kick-me sign on your back. "While your business might not be an enticing target for attackers, the opportunity to easily exploit your code is," he said. "With the steady release of patches across a multitude of operating systems and applications, it’s incredibly difficult to stay ahead of the patching game."
"Actively scanning for known vulnerabilities against Internet accessible systems is an efficient way to be aware of what your attack surface looks like," Smith added. "With this information the business can focus on installing patches and updates to address what is most important for the business."
And it's important to keep in mind, Contrast Security CTO Jeff Williams said by email, that open source projects don't get patched the same way that commercial products do. "If you want to keep using an older version of an operating system, you can just apply the security patches for that version," he said. "But with open source, there are no such patches for older versions. You simply must move to the latest version of the project, regardless of whether it disrupts your entire codebase, requiring extensive recoding and retesting."
As a result, Williams said, "Many development projects are stuck on the horns of a terrible dilemma -- keep operating with vulnerabilities, or spend months rewriting applications for no real benefit."
It's crucial, Williams said, to do a better job of enabling those who use open source software to keep that software up to date. "At a minimum, we need an infrastructure to notify users," he said. "But even better would be to enable libraries and applications to automatically update themselves when new critical vulnerabilities are discovered. There are some difficult technical challenges to overcome, but it simply has to happen or breaches will continue to occur."
A recent eSecurity Planet article offered a buyer's guide to patch management software.
Photo courtesy of Shutterstock.