21 comments

[ 3.0 ms ] story [ 54.6 ms ] thread
What's the significance of this? Upon cursory glance it seems like a community site for android developers. Am I missing something?
It's a big site with, no doubt, a gold mine of email/password combinations to try vs. other services. Maybe the password storage was secure, but probably not. Maybe a few of those users were using secure one-off passwords, but realistically most weren't.
it's a vbulletin site, so their standard hashing (http://www.vbulletin.org/forum/showthread.php?t=178091) which looks to be md5 (md5 (pass) + salt).
Two iterations of the hash isn't what you'd call "secure". But at least it's salted.
The hash iterations are due to vBulletin's life span and being a product. They had md5 hashed passwords. Then they realized they have to salt them. So instead of adding the the salt to the password then hashing it, they decided to add the salt to the hash so they could salt every password without having to wait to get the original password.
The point was more that two iterations of MD5 isn't nearly slow enough. This site claims 5.6G/s on an ATI 5970 (~$400US) card: http://www.golubev.com/hashgpu.htm

So for a 2-iteration password cracker, that's enough to search almost a 48 bit space of passwords in a day. That's enough to check every possible ASCII password of 7 characters or less, and a good heuristic search will probably get you much more than that.

From the link:

> If you still want to do it by steam, for a new user you just need to generate a 3 character salt randomly ...

I can't see the code example, but assuming char is 8 bits (which isn't unreasonable for ascii), that's at best, 16M unique salts.

Does the repeated MD5 protect it from the common MD5 attacks? (I recall there being something especially dangerous about just md5($salt . $pass), but I forget the details - Length Extension attack maybe?)
Worth noting this has nothing to do with any official Android website, nor is it in any way related to google. It's just a community website made by android fans for android fans.
The HN title should be changed to Phandroid to minimize confusion. Hackers will be keen enough to infer what the name means. It will also stop any rumors from people that just read headlines and think Google got hacked.
What's to be learned from this?

Server setting needed hardening?

Software needed updating and was vulnerable?

vBulletin is a well used and documented lice of code. I'd love to know what the security experts here think.

I'd love to know what the security experts here think.

Oh goody! Another million credentials to refine my password dictionary!

If it was a known vulnerability there is nothing to learn but "patch your shit". But if you want some advice, the only thing you can learn from somebody exploiting a web application (assuming the hole was in vBulletin, which we have no idea) is that you can't trust the security of web applications. Do all the general system-hardening stuff that nobody ever does, install a webapp firewall, and pray.

Seems to me that PHP bulletin boards are always a (easy?) target.
"PHP" bulletin boards are the largest there is, VB is the most well known forum software there is... It has nothing to do with PHP, you can exploit any language.
Don't use this as a reason to diss PHP. Almost any target, no matter what language, is vulnerable.
But isn't Android open?

(sorry, that was terrible).

In all fairness, they appear to have handled this incredibly well and have been very informative. Which is much more than can be said for the breaches in most other cases. And at least the passwords were hashed (although how well, they don't really say -- I guess that would be part of the vBulletin package?)
This has been happening a lot lately, wasn't there something with Yahoo! just a few days ago? And I recall one or two others not long since.
The Yahoo one posted yesterday turned out to be a fake claim.
It was definitely not fake; I know a few people who were on the leaked Yahoo Voices list.
Wow, the comment section over at ZDNet is embarrassing