SQL injection flaw leaves door wide-open to valuable user information on a popular file sharing site
This week, a trio of hackers based out of Argentina uncovered various entry points into the popular (and controversial) file-sharing site Pirate Bay using SQL injection flaws contained in the site. The infiltration gained them access to upwards of four million user profiles containing names, addresses, email accounts and other sensitive and (potentially) incriminating information.
As originally reported by Krebs on Security, the group gained access through SQL injection vulnerabilities contained within the site. The leader of the hacker group, Ch Russo, maintains that he and his accomplices did not crack the site for any personal gain, though he did admit, once inside, it had dawned on him that some of the information uncovered would have been valuable to the Recording Industry Association of America and Motion Picture Association of America. But at the end of the day, they chose not to share information with either organization. The group says that they were only attempting to spread awareness that security vulnerabilities exist and SQL injection flaws can still be readily found in today’s applications and websites.
Pirate Bay is a website that allows registered members to access and download numerous types of multimedia using the currently lawful method of file sharing. File sharing takes particles of related information from various sources and then compiles them in sequence to create a full multimedia file.
Is it legal? Well that is for the courts to decide. If it is deemed illegal, it would a difficult crime to trace. Technically, downloading copyright material is unlawful but because the media is compiled from numerous sources it is very tricky to track and even harder to prosecute because only a portion of media is taken from each source. It would be like trying to charge someone for Grand Theft Auto who only stole a steering wheel.
Either way, the hack has eyebrows raised about the security exposure and concerns are growing because of SQL injection and other types of security flaws. This hack just proves what kind of damages are possible when SQL injection issues exist. In this case, under the assumption that file sharing will become illegal, these hackers could have sold information on users that might provide evidence for lawsuits. SQL injection flaws are clearly no laughing matter.
SQL injection is and has been a major concern among quality and security departments as it is elusive to developers and testers to find and eliminate but it is fairly easy for hackers to find and exploit. In this case the hackers (had they been malicious ones) could have exposed and sold valuable personal information of Pirate Bay users.
Hackers are able to gain access to apps through weak SQL portals by adding their own Structured Query Language (SQL) into language field features on sites and in applications. These coded statements instruct the app or site to respond to their coded request and (in most cases) grant them administrative or backend access. Once access is gained, typically the sky is the limit to what database information becomes available and what changes can be made.
While many vendors advertise SQL injection detection and fixes in their offerings, SQL injection remains a high-profile risk in many expert’s minds.
For information on how to protect your software applications and sites from similar security compromises, we recommend these tips:
- Application security checklist: Finding, eliminating SQL injection flaws
Seeking out SQL injection issues and entry-ways? This application security checklist shows ways to identify susceptible application areas and kill flaws.
- Quick attacks for Web security, penetration testing and SQL advisory
Are you in need of penetration testing but are on a strict budget? Expert Matt Heusser provides tips and tricks to get your software application live and without issues.
- Are SQL injection attacks really a big software security risk?
A software security expert separates vulnerability scanner vendor hype from the reality about injection attacks in this tip.