'Union-based' SQL injection vulnerability was responsible for the Yahoo! Voices hack

News by Dan Raywood

An SQL injection vulnerability was responsible for yesterday's password breach of Yahoo! Voices.

An SQL injection vulnerability was responsible for yesterday's password breach of Yahoo! Voices.

According to research by Imperva, the breach of the Voices application highlights how enterprises continue to neglect basic security practices. It said that the breach was enabled by a union-based SQL injection vulnerability in the application, which was the basic form of SQL injection and a well-known attack.

As revealed by SC Magazine yesterday, Yahoo! confirmed that up to 400,000 of its Voices account usernames and passwords had been stolen and published online. The credentials were reportedly stored in clear text and were taken from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com.

Rob Rachwald, Imperva's director of security strategy, said: “This attack highlights the challenges of security with third-party applications.  The attacked application was probably acquired by Yahoo! from a third party, Associated Content. It's very challenging to have an effective security development lifecycle with third parties. Therefore, you need to put them behind a web application firewall.”

Mark Bower, data protection expert and VP at Voltage Security, asked why organisations such as Yahoo! have still not got it right, especially as SQL injection is a known attack.

Recent research by White Hat Security found that while SQL injection is a prevalent website vulnerability, it only affects 11 per cent of websites and flaws are fixed in an average of 53 days. It claimed that five per cent of all websites it evaluated had at least one SQL injection vulnerability that was exploitable without first needing to login to the website.

The April 2012 'State of Software Security Report' from Veracode, said that SQL injection remains one of the two most frequently exploited vulnerability types (along with cross-site scripting), with a statistically flat incidence rate from the first quarter of 2010 to the fourth quarter of 2011, suggesting that new vulnerabilities are being introduced at the same rate as known vulnerabilities are being remediated.

Chris Hinkley, CISSP and senior security engineer at secure cloud hosting company, FireHost, said: “Yahoo! has fallen victim to an SQL injection attack, which in comparison to most of the tools in a hacker's box, is a pretty straightforward and common method of attack. Though the hackers have described the incident as only a ‘wake-up call', if organisations do not take more robust precautions, the next attack could be much more damaging.

“SQL injection attacks have become the method of choice among hackers seeking to exploit weaknesses in IT infrastructures, but with solutions readily available that are capable of blocking these threats, it's frustrating that these attacks are still so successful.”

Paul Ayers, vice president EMEA of data encryption firm Vormetric, said that this is not the first large brand to fall victim to a security breach, and it will not be the last.

“With every incident such as this that happens, organisations worldwide are reminded of the changing threat landscape and the need for IT infrastructure to keep pace. As such, an organisation's starting point shouldn't be – ‘if' we get hacked, but ‘when',” he said.

“Ultimately, focusing on a defensive perimeter around a network is not going to keep the bad guys out anymore. Servers hold the crown jewels of enterprise information and organisations need to ensure the security and access control of that server data. For databases in particular, a combination of encryption and database activity monitoring ensures organisations can rest assured that no matter how or where data exists on systems, or whoever's hands it falls into, that information remains secure.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews