Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Imperva Comments on Yahoo Voices Breach

Imperva : 16 July, 2012  (Technical Article)
SQL injection attack breaches security on Yahoo voices, exposing user passwords reminiscent of recent LinkedIn breach
It was revealed yesterday that Yahoo! Voices was breached. This application is an online publishing application that was developed by Associated Content and later acquired by Yahoo!. It allows consumers to share information on any topic, such as planning a wedding or details on Tom and Katie’s divorce.

Rob Rachwald, Director of Security Strategy at Imperva comments on what they have seen from the breach:

"Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.

The file published by the hackers seems to contain some 450K usernames and password of Yahoo! Voices users. The usernames and password seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth.

Here’s some technical details:

Another epic password fail: It seems that the app stored the passwords both on encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless.

ac_www =>> fix_ac_user :::: aes_passwd

ac_www =>> fix_ac_user :::: clear_passwd

How was it exploited? According to hacker "Method: Union-based SQL Injection" which is the basic form of SQL injection. (For more on stopping SQL injection, read here).

It's interesting to note that apps use zip code info to gain intelligence on users:

ac_www =>> ac_zip_data :::: ZipCode

ac_www =>> ac_zip_data :::: HouseholdsPerZipCode

ac_www =>> ac_zip_data :::: WhitePopulation

ac_www =>> ac_zip_data :::: BlackPopulation

ac_www =>> ac_zip_data :::: HispanicPopulation

ac_www =>> ac_zip_data :::: PersonsPerHousehold

ac_www =>> ac_zip_data :::: AverageHouseValue

ac_www =>> ac_zip_data :::: IncomePerHousehold

Conclusions:

Someone should delete all the TomKat videos and contribute a Yahoo! Voices tutorial on proper password storage methods. Until that's done, here's an enterprise password security guide everyone should read.

This attack highlights the challenges of security with 3rd-party applications. The attacked application was probably acquired by Yahoo! from a 3rd party, Associated Content. It's very challenging to have an effective SDLC with 3rd parties. Therefore, you need to put them behind WAF."
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo