It was revealed yesterday that Yahoo! Voices was breached. This application is an online publishing application that was developed by Associated Content and later acquired by Yahoo!. It allows consumers to share information on any topic, such as planning a wedding or details on Tom and Katie’s divorce.
Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.
The file published by the hackers seems to contain some 450K usernames and password of Yahoo! Voices users. The usernames and password seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth.
Here’s some technical details:
Another epic password fail: It seems that the app stored the passwords both on encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless.
ac_www =>> fix_ac_user :::: aes_passwd
ac_www =>> fix_ac_user :::: clear_passwd
How was it exploited? According to hacker "Method: Union-based SQL Injection" which is the basic form of SQL injection. (For more on stopping SQL injection, read here).
It's interesting to note that apps use zip code info to gain intelligence on users:
ac_www =>> ac_zip_data :::: ZipCode
ac_www =>> ac_zip_data :::: HouseholdsPerZipCode
ac_www =>> ac_zip_data :::: WhitePopulation
ac_www =>> ac_zip_data :::: BlackPopulation
ac_www =>> ac_zip_data :::: HispanicPopulation
ac_www =>> ac_zip_data :::: PersonsPerHousehold
ac_www =>> ac_zip_data :::: AverageHouseValue
ac_www =>> ac_zip_data :::: IncomePerHousehold
Conclusions
Someone should delete all the TomKat videos and contribute a Yahoo! Voices tutorial on proper password storage methods. Until that's done, here's an enterprise password security guide everyone should read.
This attack highlights the challenges of security with 3rd-party applications. The attacked application was probably acquired by Yahoo! from a 3rd party, Associated Content. It's very challenging to have an effective SDLC with 3rd parties. Therefore, you need to put them behind WAF.