Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

SQL flaw at Rockyou has wider e-mail security implications

Imperva : 15 December, 2009  (Technical Article)
Social networking sites are continuing to take blows in user confidence as an SQL injection flaw discovered in Rockyou.com could compromise web-based e-mail accounts of subscribers if exploited
Imperva has issued a warning after finding a serious SQL injection flaw with Rockyou.com - a social networking application development web site.

'Rockyou.com is not just any software site. Since its creation in 2006, it's become the hub for many social networking sites such as Bebo, Facebook and Myspace, to mention but a few,' said Amichai Shulman, chief technology officer with the data security specialist.

'The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database - and since the user names and passwords are by default the same as the users webmail account—such as Hotmail, Yahoo or Gmail—this is a major lapse in security,' he added.

"The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular Web email service," explained Shulman. "The users are young and security is not top of mind, but nonetheless companies need to keep them protected and ensure their details are safe. With the popularity of Web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security."

An attacker can use these credentials to perform any of the following actions:

1 Extract private information from the inbox: credit card numbers, confidential business information, passwords to another application such as bank application embarrassing pictures etc.
2 Identity theft - The attacker can send mail to the victim's entire contact list on behalf of the victim.
3 Harvest the contacts info for spam - if each account has 10 unique contacts then the spammer will have 300 million addresses to spam.


"While individual users are urged to show prudence when surfing the web and especially providing account credentials to applications, it is the responsibility of application owners to protect the information trusted to them by users" adds Shulman. "Web development in general can be rushed in order to get a service to market quicker. However, by rushing the time to deploy, companies may tend to overlook security."

'We have notified the site operators of this problem, who re-acted quickly and fixed the issue over the weekend. Unfortunately some accounts had already been compromised before the vulnerability was fixed. All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk." he added.

Imperva recommendations for keeping safe online:


Internet Users:

1. Have separate business and personal email accounts
2. Carefully choose applications you trust with your email address
3. Change passwords regularly
4. Ensure default passwords are changed so they are not the same as ones used for email accounts

Administrators:

1. Protect your applications against application level attacks using available technologies such as web application firewall.
2. Never store passwords in plain text.
3. Don't ask for your user's webmail's password unless it's absolutely necessary, and certainly don't store it afterwards.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo