Personal Data At Risk After SQL Flaw Discovered

A SQL injection flaw on a social networking app developer site has compromised the security of users and could lead to identity theft

A SQL injection flaw has been discovered in Rockyou.com – a social networking application development website used by app developers for Bebo, Facebook and Myspace. The flaw could have allowed hackers access to the 32 million usernames and passwords in the Rockyou.com database, according to data security firm Imperva.

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application, and has been used widely to attack sites. It potentially allows hackers to steal private information which is then auctioned or exchanged on hacking forums, and can lead to cases of identity theft. 

Rockyou.com offers a platform for both developers and users to download add-ons and receive updates. When users register with Rockyou their password is automatically set by default as the password for their webmail account. Therefore, if hackers steal a list of usernames and passwords from the database, they can immediately access these users’ webmail accounts.

“From then on I can do a number of interesting things,” Imperva’s chief technology officer Amichai Shulman told eWEEK Europe. “One of them is probably extract a lot of personal information that I can either use directly to commit fraud or indirectly for improved phishing attacks. In the same way that these people use their email accounts when registering to Rockyou they might use the same account and password when registering to Amazon.com or any other retail application – maybe even with their banking application – so I can immediately get access to more applications which I can actually use as a hacker to generate revenue.

“The other thing I can do is, if the password and username do not match the credential for other online applications, I can try and use the password recovery features of other applications and, most of the time, the recovered password is sent back into the webmail account – which I now control. This gives me virtually unlimited access to the person’s online assets.”

The discovery shows a worrying trend among Internet users to use the same password for multiple accounts, giving any attacker an easy way to extract private information from email inboxes. Hackers are then at liberty to to carry out identity theft or harvest the users’ contacts list for spam. 

“While individual users are urged to show prudence when surfing the web, and especially providing account credentials to applications, it is the responsibility of application owners to protect the information trusted to them by users,” said Shulman. “It is usually the tendency of people to use the same password. This is human nature, there are only so many passwords I can remember, especially if I want them to be strong passwords.”

Rockyou.com reacted quickly to news of the flaw and fixed the issue over the weekend. However, Imperva claims that some accounts had already been compromised before the vulnerability was fixed.

The news follows the recent discovery of an SQL injection vulnerability in a Yahoo jobs site. Imperva detected the flaw when it discovered that members of hacking forums were discussing possible ways to exploit the vulnerability. “SQL injection is a major thorn in the side for the website hosting community,” said Shulman at the time. “It can be tackled with careful research and high levels of security.”

Imperva recommends that Internet users and administrators take the following precautions to protect their personal data:

Internet users

  • Have separate business and personal email accounts
  • Carefully choose applications you trust with your email address
  • Change passwords regularly
  • Ensure default passwords are changed so they are not the same as ones used for email accounts

Administrators

  • Protect your applications against application level attacks using available technologies such as web application firewall.
  • Never store passwords in plain text.
  • Don’t ask for your user’s webmail’s password unless it’s absolutely necessary, and certainly don’t store it afterwards.