MyBB Twitter & Staff Account Hacked.

[Azareal]

Enabling 2FA is problematic as the Twitter account is shared between all team members who've been with us for more than 3 months. Anybody on staff can use the account to provide quick support and to post updates. 2FA just doesn't work in this scenario.

A better approach would be to distribute the password to very senior staff members and for the messages to be destroyed afterwards, instead of having a private topic that they can read at any time.

 

[euantor]

They need to rethink this approach then

@Mybb_bob can provide support just the same as @Mybb_jim can.

Yeah, the problem is that @Mybb_Brandon could come along, slap a MyBB logo on as an avatar and start playing the part, and people would think they were an official team member...

We do need to think of a solution, we'll be looking into it as soon as we have control back.

 

[R44]

A better approach would be to distribute the password to very senior staff members and for the messages to be destroyed afterwards, instead of having a private topic that they can read at any time.

Yep. This.

 

[euantor]

A better approach would be to distribute the password to very senior staff members and for the messages to be destroyed afterwards, instead of having a private topic that they can read at any time.

True, the problem is that people then tend to store these things in obvious places such as in the UCP notepad

 

[AdamD]

Yet another MyBB issue, it's going to rock consumers confidence in the product...again.

 

[euantor]

Yet another MyBB issue, it's going to rock consumers confidence in the product...again.

Unfortunately, yes. We seem to be a big target, likely due to the fact that many large hacking forums run MyBB. We do try to handle these issues as best as we can but we don't have quite the same amount of manpower as other projects do.

 

[Azareal]

True, the problem is that people then tend to store these things in obvious places such as in the UCP notepad

Even MS Notepad would be a vastly better option than storing it in the UserCP. Sounds like it's time for a new policy.

 

[BrandonSheley]

Yeah, the problem is that @Mybb_Brandon could come along, slap a MyBB logo on as an avatar and start playing the part, and people would think they were an official team member...

We do need to think of a solution, we'll be looking into it as soon as we have control back.

I'm pretty sure IPB and vBulletin both have Twitter accounts that offer public online support like this.. Well maybe not vb as much anymore but at one time they did.

I assume you're with mybb?

 

[AdamD]

Unfortunately, yes. We seem to be a big target, likely due to the fact that many large hacking forums run MyBB. We do try to handle these issues as best as we can but we don't have quite the same amount of manpower as other projects do.

I agree, it's just a shame, I genuinely feel sorry for the team and product.

 

[euantor]

Even MS Notepad would be a better option than storing it in the UserCP. Sounds like it's time for a new policy.

Yep. We will be rethinking how we handle official accounts in the future for definite. Right now we're concentrating on getting the account back and working out exactly what has happened.

I'm pretty sure IPB and vBulletin both have Twitter accounts that offer public online support like this.. Well maybe not vb as much anymore but at one time they did.

I assume you're with mybb?

Yes, I am one of the developers. Hopefully we'll be able to open a line of discussion with Twitter when we get the account back and see if they have any advice for us.

 

[BrandonSheley]

Yes, I am one of the developers. Hopefully we'll be able to open a line of discussion with Twitter when we get the account back and see if they have any advice for us.

I don't honestly seeing Twitter helping at all other then getting your account back which you need to contact them asap. It'll take them a few days to get your access back.
The best advise I have is not to share accounts and enable security on your account. Especially if you're having clients send you private info via DM's (not sure if you are, just throwing it out).
There are companies all over the web that have support accounts on Twitter.
Create a public list off the main account and add the "official" support twitter accounts if you're really worried about it..

Oh.. you already have one.. 21 devs?
https://twitter.com/MyBB/lists/mybb-staff/members

 

[Azareal]

There are a few XSS flaws that are patched for 1.8.4, but not officially released yet. There are a few other patches coming in 1.8.4 too. I don't want to release full details into the wild unless we, as a team, decide to do so.

Some of the messages are being deleted now, but I managed to screenshot this very concerning tweet.
From the sounds of it, there may be some SQL Injection vulnerabilities which they took.

 

[Azareal]

Oh.. you already have one.. 21 devs?
https://twitter.com/MyBB/lists/mybb-staff/members

From the looks of it, the list is probably terribly outdated, as it has people who resigned a long long time ago on it.

 

[BrandonSheley]

From the looks of it, the list is probably terribly outdated.

There are several that mention mybb or mybbgroup, so I'm not sure.
My point is that one person should have control of the official account and have their phone tied to it. If that were the case, they would never be able to hack the twitter account again.

 

[Jake]

Yep. This.

Just for future reference, your immaturity in the comments made on twitter is pretty much on par with the person who has the account now.

 

[R44]

Just for future reference, your immaturity in the comments made on twitter is pretty much on par with the person who has the account now.

Yes but I occupied his time.

 

[Jake]

Yes but I occupied his time.

Congratulations? It just made you look as immature as him.

 

[R44]

Congratulations? It just made you look as immature as him.

Probably. But hey it was fun to wake up to a troll to troll back. While he was intertwined with me he wasn't doing harm.

 

[euantor]

I don't honestly seeing Twitter helping at all other then getting your account back which you need to contact them asap. It'll take them a few days to get your access back.
The best advise I have is not to share accounts and enable security on your account. Especially if you're having clients send you private info via DM's (not sure if you are, just throwing it out).
There are companies all over the web that have support accounts on Twitter.
Create a public list off the main account and add the "official" support twitter accounts if you're really worried about it..

Oh.. you already have one.. 21 devs?
https://twitter.com/MyBB/lists/mybb-staff/members

I'm going to be looking into a solution this week. I already have a few ideas which should work.

View attachment 32038
Some of the messages are being deleted now, but I managed to screenshot this very concerning tweet.
From the sounds of it, there may be some SQL Injection vulnerabilities which they took.

There are no public facing SQL injection vulnerabilities. Most of the flaws are in the ACP (which obviously requires ACP access, which should only be handed out to trusted users), and there is one XSS in the public facing side. All of these are to be patched in 1.8.4. SQL Injections on the public facing side are taken very seriously, and when we are made aware of one we bring releases forwards - usually releasing within 1 day of us being made aware.

 

[Ryan Ashbrook]

Yeah, the problem is that @Mybb_Brandon could come along, slap a MyBB logo on as an avatar and start playing the part, and people would think they were an official team member...

We do need to think of a solution, we'll be looking into it as soon as we have control back.

I would recommend LastPass. You can share the login among other LastPass users while allowing it to be secure, and not needing it to be stored anywhere at any point in time. This also applies to other things where a joint-account needs to be used.