Yahoo fails to perform proper Application Security Auditing which leads to Yahoo Email being Hacked
Yahoo email services was hacked by a group calling itself “D33D” over 450,000 emails were compromised. The hackers used an SQL injection attack to gain access an older password file on Yahoo’s system. The passwords in this file apparently were not salted just like Linked-In. SQL injection exploits the ability for an attacker to input SQL commands into a query and have them execute because there is no validation. I noticed no other content about this hack really shows how it was done so consider the following SQL query within the following URL http://mail.hackedsite.com/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name=’y@hoogle’— This will attempt to use an SQL UNION statement to grab a username’s password from it’s associated table. The major problem in all of this is that Yahoo has not effectively employed application security specialist to integrate with their developers within the SDLC (Software Development Life-cycle) had they done so this issue would of been largely prevented and security would of been built in as a process, and not an after thought. If you would like to find out if you were affected by this compromise you can check here http://labs.sucuri.net/?yahooleak= Six Dimensions has years of Application Security related experience. We have secured, and prevented scenarios like this from happening to some of the largest enterprises out there. Web application security should be a large concern for any company dealing with sensitive data that is served through the web via self service applications. As you can see integrating security into the development process is a key component of pro-activity ensuring there are no major gaps in the development process and that issues can be found and fixed quickly before an attacker uses and exploits your enterprise for fun, and profit,. If you would like to secure Six Dimensions services so that your company, and clients do not end up compromised please contact us.