Breach, Data Security

Did an undisclosed SMF 2.0.6 flaw enable the AVAST forum breach?


It might have been an undisclosed vulnerability in Simple Machines Forums (SMF) 2.0.6, the years-long community platform of choice for computer security company AVAST Software, that enabled attackers to compromise information on nearly 400,000 AVAST message board users.

In a Sunday blog post, Vince Steckler, CEO of AVAST, announced that the AVAST community forum was hacked over the weekend and that usernames, user nicknames, email addresses and hashed – one-way encrypted – passwords were compromised.

Fewer than 0.2 percent of 200 million AVAST users – about 400,000 users – were impacted, according to the post, which adds that payment and license information, as well as financial systems data, was not compromised.

An investigation is ongoing, but the attack is believed to have occurred recently and was detected immediately, according to the post, which adds that the AVAST forum is currently down, being rebuilt and moved to a different software platform.

“It is not known yet how the attacker breached the forum,” an AVAST spokesperson told in a Tuesday email correspondence. “It is not clear whether the attack was conducted via a zero-day vulnerability, or a hole that was silently fixed in [SMF] 2.0.7 [and was] never announced.”

The AVAST forum had been hosted on a third-party software platform for several years and, at the time of the attack, was running SMF 2.0.6, according to the AVAST spokesperson, who added that there were no security-related updates listed on the change log for SMF 2.0.7, the latest version.

The AVAST spokesperson indicated that the company used the unmodified SMF standard, SHA-1 with salt, to encrypt passwords – but that does not mean decryption is impossible, Johannes Ullrich, dean of research with the SANS Technology Institute, told in a Tuesday email correspondence.

“An attacker could pretty easily, within less than an hour, brute-force passwords that are based on common dictionary words,” Ullrich said, explaining SMF appears to use the username as a salt. “If a password is very long, then it may very well never get broken. At that point, it depends a bit on the resources the attacker has available.”

In a Tuesday email correspondence with, Ken Ammon, CSO of network security software company Xceedium, agreed with Ullrich, explaining that password length and complexity will be a determining factor in whether decryption is possible, or worth the effort.

“Using a precomputed rainbow table dramatically reduces cracking time,” Ammon said. “We know that AVAST used a relatively weak form of password encoding, [so] the key question is: did AVAST enforce a password complexity policy?”

The AVAST forum hack comes roughly one week after eBay announced it had experienced a breach, but Ullrich said it is unlikely the two are in any way connected.

Simple Machines did not respond to a request for comments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.