Yahoo! Defends Jobs Site Against SQL Injections

A vulnerability in Yahoo!’s HotJobs website has been successfully blocked, after data security specialist Imperva warned the search giant of a potential SQL injection flaw.

Imperva detected the flaw when it discovered that members of hacking forums were discussing possible ways to exploit the vulnerability. The security firm alerted Yahoo! on Thursday morning and, by Thursday evening, the flaw had been fixed.

“This is a flaw that could mean that the personal information of large numbers of people are compromised,” said Imperva’s chief technology officer Amichai Shulman. “Data like this can be extremely useful as far as identity thieves are concerned. This is exactly the sort of data that is traded on so-called carder forums.”

Shulman told eWEEK Europe that, so far, there is no evidence that the vulnerability was exploited or that data has been exchanged. However, Yahoo! was unable to confirm this before publication.

An SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. It potentially allows hackers to steal non-public information which is then auctioned or exchanged on hacking forums, and can lead to cases of identity theft. Although illegal data exchanges are shut down on a regular basis, the scale of the Internet means that as one closes another opens elsewhere on the web.

“This is why it’s important to warn about potential SQL injection-hacked problems like this. If the potential problem is allowed to continue for any length of time, then the risk of a hacker attack rises as a result,” said Shulman. “SQL injection is a major thorn in the side for the website hosting community. It can be tackled with careful research and high levels of security.”

The news follows a recent “sophisticated and deliberate” attack on the Guardian newspaper’s recruitment site in late October. The hack resulted in up to half a million CVs being stolen. The Guardian did not reveal the details of how the fraud was carried out at the time, but Shulman predicts that it was probably also an SQL injection.

“Our experience shows that ‘sophisticated attack’ is usually a pseudonym for ‘SQL injection’,” he said, “even though SQL injections are not sophisticated at all.”

This latest discovery points to an emerging trend in the use of jobs websites to carry out identity theft. These sites make good targets for hackers, as they are full of personal information relating to an individual’s professional capabilities and contact details.

Surveys earlier this year revealed that identity theft is a concern for three quarters of UK residents, and there are fears that the recession will drive an increase in criminal activity.

“In my opinion, SQL injections are the number one security threat to data applications,” said Shulman.