Little thing...big mess
Simple SQL injection vulnerability to blame for biggest ever theft of passwords
The largest ever cache of stolen passwords has been amassed using a simple SQL flaw. A Russian e-crime ring absconded with 1.2 billion passwords from 420,000 websites, the New York Times has learned.
Although the group of hackers have set a new record in cybercrime, their black hat technique is by no means new. SQL injections, which occur when an interpreter is tricked by hostile data sent to it as part of a command or query, is an old trick used to trick old code into giving it access to data or even allowing hackers to make commands.
SQL injection is not unlike walking into a tax office and pretending to submit your taxes – only instead you convince the clerk to hand over information about your neighbours. Cybercriminals will set up an automated system that will test sites for injection flaws, according to the New York Times, who broke the story on the password theft. Once a vulnerability is spotted, the individuals can return later to plunder the site of any valuable data.
Injection attacks are a relatively common phenomenon in cybercrime, due to the sheer frequency of the vulnerability. On top of the high success rate, an attack will almost always lead cybercriminals to valuable data, sometimes about the application – in this instance a treasure trove of user passwords.
A SQL injection flaw in the Wall Street Journal was recently exploited by a lone hacker called w0rm to gain access to the newspaper’s database. Flaws like these are often first uncovered by white hat hackers, bounty hunting for vulnerabilities. But many companies like Facebook or Volkswagen have been reluctant to reward benevolent hackers with their “bug bounty”.
Many of the stolen passwords will likely be encrypted, which can be complicated to unscramble. However it seems that the criminals have already successfully spammed many of the victims’ social networks, which implies that the passwords have already been cracked or may even have been unencrypted to begin with.
Defending against injection attacks is “extremely simple"
It’s not only SQL that is vulnerable to Jedi mind tricks like these: NoSQL, LDAP and Xpath queries in legacy code are also open to injection attacks. Although there is extensive documentation on successful defence techniques, which OWASP describe as “extremely simple”. The problem with a black hat method like this, however, is that it can be tricky to spot during testing.
At the same time, it appears that it isn’t (only) amatuer startups or 20th-century companies that have been affected. Hold Security, the US firm that uncovered the theft, claims the Fortune 500 companies are among those to have lost personal user credentials to the cybercriminals.
Securing SQL queries against injection attacks
The Open Web Application Security Project (OWASP) lists three major defence approaches to secure an API against SQL injection attacks. The first is to use prepared statements (or parameterized queries) which make sure the attacker cannot change the intent of query, as a certain Russian cybercrime organisation did.
The second defence is stored procedures, which defines the SQL code for a stored procedure on the database, which is then called from application.
Finally, OWASP suggests alternatively escaping user input before putting it in the query. Although less reliable than the previous two techniques, this method of defence is best for developers worried that prepared statements or stored procedures might slow down a legacy application’s performance.