A serious SQL injection has been found with the social networking application development website Rockyou.com.
Claims have been made that the flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database.
Amichai Shulman, chief technology officer at Imperva, said: “Rockyou.com is not just any software site. Since its creation in 2006, it's become the hub for many social networking sites such as Bebo, Facebook and MySpace, to mention but a few.
“The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular webmail service. The users are young and security is not top of mind, but nonetheless companies need to keep them protected and ensure their details are safe. With the popularity of Web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security.”
He claimed that an attacker can use the credentials to extract private information from the inbox, such as credit card numbers, confidential business information and passwords to other applications. Shulman said that Imperva had notified the site operators of this problem, who reacted quickly and fixed the issue over the weekend.
He said: “Unfortunately some accounts had already been compromised before the vulnerability was fixed. All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk.
“While individual users are urged to show prudence when surfing the web and especially providing account credentials to applications, it is the responsibility of application owners to protect the information trusted to them by users. Web development in general can be rushed in order to get a service to market quicker. However, by rushing the time to deploy, companies may tend to overlook security.”