Posted by Kevin on August 7, 2014.
News that Russian cybercriminals had amassed a database of 1.2 billion unique access credentials broke on August 5 when Hold Security published a report titled You Have Been Hacked. The report explained the method used by the gang, dubbed by Hold as CyberVor (‘vor’ means ‘thief’ in Russian), to employ botnets to find SQL vulnerabilities:
These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.
The process, then, was first to identify SQLi flaws, and then use these flaws to hack the vulnerable websites and steal the user data. The tragedy is that while SQLi flaws (along with Cross Site Scripting flaws) are possibly the most common flaws around, they are also very easy to fix.
If websites that store user data are unable to check their own code, then they should unquestionably use a pentester (if they can afford one) or a low cost online pentesting service (if they cannot) to check for SQLi and XSS vulnerabilities.
But what becomes unforgivable is where a website ignores the free advice (or warning) provided by an independent security researcher. Today High-Tech Bridge (a firm that offers an online testing service) published a blog post describing its interaction with an open source article directory system called articleFR.
HTB recently found a SQLi flaw in articleFR’s code, and notified the vendor, Free RePrintables. This was in fact the second flaw (the first was an access flaw) found in the software in 2 months. Free RePrintables ignored repeated warnings from HTB over the first flaw, forcing HTB to develop its own temporary patch for the software.
So far, Free RePrintables has also ignored all notifications about the new SQLi flaw. It may be that the vendor thinks itself too small to attract the attention of hackers – but Hold Security’s report makes it very clear that the CyberVor gang cares nothing about size. If it finds a SQLi flaw, it will exploit it and add all stolen credentials to its database.
It is entirely possible that the gang is already aware of this particular flaw, and has already exploited it on different websites.
The moral of this tale is simple. All articleFR users should change their passwords (and for all accounts that use the same password) as soon as possible while at the same time pressing Free RePrintables to fix the flaw and get High-Tech Bridge to confirm it has been fixed. But at the same time, all websites of whatever size that collect user credentials should take whatever steps necessary to ensure that they are not harbouring SQLi and/or XSS vulnerabilities.Submitted in: News, News_hacks, News_vulnerabilities |