Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Imperva Comments on Yahoo Voices Breach

Imperva : 16 July, 2012  (Technical Article)
SQL injection attack breaches security on Yahoo voices, exposing user passwords reminiscent of recent LinkedIn breach
It was revealed yesterday that Yahoo! Voices was breached. This application is an online publishing application that was developed by Associated Content and later acquired by Yahoo!. It allows consumers to share information on any topic, such as planning a wedding or details on Tom and Katie’s divorce.

Rob Rachwald, Director of Security Strategy at Imperva comments on what they have seen from the breach:

"Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.

The file published by the hackers seems to contain some 450K usernames and password of Yahoo! Voices users. The usernames and password seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth.

Here’s some technical details:

Another epic password fail: It seems that the app stored the passwords both on encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless.

ac_www =>> fix_ac_user :::: aes_passwd

ac_www =>> fix_ac_user :::: clear_passwd

How was it exploited? According to hacker "Method: Union-based SQL Injection" which is the basic form of SQL injection. (For more on stopping SQL injection, read here).

It's interesting to note that apps use zip code info to gain intelligence on users:

ac_www =>> ac_zip_data :::: ZipCode

ac_www =>> ac_zip_data :::: HouseholdsPerZipCode

ac_www =>> ac_zip_data :::: WhitePopulation

ac_www =>> ac_zip_data :::: BlackPopulation

ac_www =>> ac_zip_data :::: HispanicPopulation

ac_www =>> ac_zip_data :::: PersonsPerHousehold

ac_www =>> ac_zip_data :::: AverageHouseValue

ac_www =>> ac_zip_data :::: IncomePerHousehold


Someone should delete all the TomKat videos and contribute a Yahoo! Voices tutorial on proper password storage methods. Until that's done, here's an enterprise password security guide everyone should read.

This attack highlights the challenges of security with 3rd-party applications. The attacked application was probably acquired by Yahoo! from a 3rd party, Associated Content. It's very challenging to have an effective SDLC with 3rd parties. Therefore, you need to put them behind WAF."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo