A SQL injection flaw has been discovered in Rockyou.com – a social networking application development website used by app developers for Bebo, Facebook and Myspace. The flaw could have allowed hackers access to the 32 million usernames and passwords in the Rockyou.com database, according to data security firm Imperva.
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application, and has been used widely to attack sites. It potentially allows hackers to steal private information which is then auctioned or exchanged on hacking forums, and can lead to cases of identity theft.
Rockyou.com offers a platform for both developers and users to download add-ons and receive updates. When users register with Rockyou their password is automatically set by default as the password for their webmail account. Therefore, if hackers steal a list of usernames and passwords from the database, they can immediately access these users’ webmail accounts.
“From then on I can do a number of interesting things,” Imperva’s chief technology officer Amichai Shulman told eWEEK Europe. “One of them is probably extract a lot of personal information that I can either use directly to commit fraud or indirectly for improved phishing attacks. In the same way that these people use their email accounts when registering to Rockyou they might use the same account and password when registering to Amazon.com or any other retail application – maybe even with their banking application – so I can immediately get access to more applications which I can actually use as a hacker to generate revenue.
“The other thing I can do is, if the password and username do not match the credential for other online applications, I can try and use the password recovery features of other applications and, most of the time, the recovered password is sent back into the webmail account – which I now control. This gives me virtually unlimited access to the person’s online assets.”
The discovery shows a worrying trend among Internet users to use the same password for multiple accounts, giving any attacker an easy way to extract private information from email inboxes. Hackers are then at liberty to to carry out identity theft or harvest the users’ contacts list for spam.
“While individual users are urged to show prudence when surfing the web, and especially providing account credentials to applications, it is the responsibility of application owners to protect the information trusted to them by users,” said Shulman. “It is usually the tendency of people to use the same password. This is human nature, there are only so many passwords I can remember, especially if I want them to be strong passwords.”
Rockyou.com reacted quickly to news of the flaw and fixed the issue over the weekend. However, Imperva claims that some accounts had already been compromised before the vulnerability was fixed.
The news follows the recent discovery of an SQL injection vulnerability in a Yahoo jobs site. Imperva detected the flaw when it discovered that members of hacking forums were discussing possible ways to exploit the vulnerability. “SQL injection is a major thorn in the side for the website hosting community,” said Shulman at the time. “It can be tackled with careful research and high levels of security.”
Imperva recommends that Internet users and administrators take the following precautions to protect their personal data:
Internet users
Administrators
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…