Another Day, Another Hack: Is Your Fisting Site Updating Its Forum Software?
May 11, 2016
Shah Sheikh (1294 articles)
Share

Another Day, Another Hack: Is Your Fisting Site Updating Its Forum Software?

Quite literally, every day someone gets hacked. Whether that’s a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.

In our series Another Day, Another Hack, we do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, real people are still getting fucked over somewhere, and should know about it.

A hacker has obtained over 100,000 user accounts for Rosebuttboard.com, a forum focused around “extreme anal dilation and anal fisting,” according to security researcher Troy Hunt.

The site is running years-old, out-of-date forum software that has known security vulnerabilities.

“This is a poignant reminder of how very personal information such as sexual proclivities may one day become public knowledge,” Hunt, who maintains the breach notification site ‘Have I Been Pwned?’, told Motherboard in an email. Hunt will be uploading the data to his site, so potential victims can check whether their data has been exposed.

Out-of-date software is arguably an indicator for how seriously a site takes security

Hunt obtained the data, which includes usernames, email addresses, IP addresses, and passwords hashed with the notoriously weak MD5 algorithm, along with a salt for some 107,303 accounts, and verified its authenticity.

A hashing algorithm takes a password and outputs a seemingly garbled up version of it, known as a hash, and a salt is another variable added to the password, designed to make the hash even harder to crack.

Motherboard has not seen the dataset, so has not been able to independently verify it.

Rosebuttboard.com describes itself as the “top one board for anal fisting, prolapse, huge insertion and rosebutt fans.”

As pointed out by Hunt, Rosebuttboard is running on version 3.4.6 of IP.Board, a piece of PHP-based software for creating forums, which uses MySQL databases. Vulnerabilities for this version include a cross-site scripting vulnerability, which would allow an attacker to execute arbitrary code; another that leads to full path disclosure, and an SQLi vulnerability, which may give the potential for an attacker to obtain user data.

It is unclear however whether any of these vulnerabilities or others in IP.Board led to the Rosebuttboard.com user accounts being hacked (administrators of the site did not respond to a request for comment). But out-of-date software is arguably an indicator for how seriously a site takes security, and especially one that deals with as sensitive a subject as sexual desires and fetishes.

The lesson: When it comes to website security, users are largely at the whim of site administrators, especially when it comes to the constant updating of software. For that reason, perhaps users of more sensitive sites should consider signing up with a pseudonymous email address, so when their data does become public, at least they are still protected somewhat.

Source | MotherBoard