Imperva: LivingSocial Could Have Fallen Victim To Unpatched Software

Based on available information, data security specialists from Imperva have narrowed down the possible methods used to hack daily deals site LivingSocial to just two: either a web application attack such as SQL Injection or a framework based attack, possibly through Ruby-on-Rails.

On Friday, LivingSocial admitted that unidentified attackers had compromised over 50 million customer records worldwide, including information such as names, emails, birthdays and encrypted passwords. It had subsequently reset the passwords for all affected customers.

The company said financial information was stored in a different database and was not accessed during the attack.

Living antisocial

LivingSocial is a US business founded in 2007. It is part-owned by Amazon and claims to have more than 70 million members around the world. The overwhelming majority of these members had their details accessed last week, when the website was hacked. CEO of the company Tim O’Shaughnessy revealed the attack in an email sent to customers and employees on Friday.

Barry Shteiman from Imperva says that, based on the data structures that were reported hacked, the attack could have been performed using SQL Injection – a technique that exploits a security vulnerability in an application’s software by including portions of SQL statements in a text entry field.

“SQL injection one of the biggest threats and easiest vectors for an attacker to steal data and compromise an organization,” Amichai Shulman, Imperva CTO, described the problem in February.

Another possible vulnerability exploited by the hackers could have come from Ruby-on-Rails (RoR). According to Shteiman, LivingSocial’s acquisition of RoR experts InfoEther and the job vacancies company published over the years indicate that it relies heavily on the open-source framework.

Unpatched Ruby vulnerabilities can enable an attacker to gain control over an exposed server, execute arbitrary code or even hack deeper into the infrastructure. “LivingSocial may have been another victim of unpatched software,” says Shteiman.

He advises companies to safeguard against SQL Injection attacks with the help of a Web Application Firewall. As far as frameworks are concerned, patching them should always be a priority, and if a proper patch is delayed, a virtual one will temporarily do the trick.

Last year, LinkedIn ended up facing a class action lawsuit after 6.5 million sets of personal data were stolen from the social network. And earlier this year, Evernote was forced to reset passwords for 50 million accounts after discovering suspicious activity on its servers. In both cases, hackers failed to secure financial information.

How well do you know data security? Take our quiz!