And it is precisely the publication of the details that pose some risks. The reason; The vulnerability was posted before it could be repaired, which means it may be caused hacking attacks in forums and spying on user information.
Posting on Full Disclosure. Frequently, security researchers publish details of unspecified security flaws when they have not been repaired after repeated vulnerability reporting. However, at this time, it is unclear whether the anonymous security researcher first reported the vulnerability to the vBulletin team or whether the vBulletin team failed to address the issue in a timely manner, leading it to publish it autonomously. And it is not excluded that this is a conscious slaughter decision aimed at defaming vBulletin.
According to W3Techs, 0,1% of sites manage a vBulletin forum. That means billions of users are affected. The forums are designed for the collection information of users. While billions on-line sites do not store user information, forums can be very easy to save data users. Therefore, 0,1% is really very important when calculating how many users could subscribe to these forums.
While vBulletin is used by many sites, the good news is that zero-day only affected the 5.x version. In practice this means that forums that have an older version are safe if they have made the necessary fixes.
Η Zerodium, is a company that buys web-based software to resell it to law enforcement. Many Dark web forums, such as those that distribute criminal prosecution services, malware, or child abuse images, are often run on vBulletin. According to the company, the anonymous security researcher could have made up to $ 10.000 in return for giving Zerodium zero-day details and not jeopardizing the data alone by posting it.
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.