Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details – stored in plain text – up for grabs.
RockYou – which develops apps for social networking sites including Facebook, Bebo and MySpace – stored usernames, passwords and email addresses in plain text. That’s bad enough in itself, but then an SQL injection flaw on RockYou’s website exposed the information to prying eyes.
Amichai Shulman, chief technology officer with the data security firm Imperva, said the passwords exposed will often be the same as those users utilize for webmail accounts associated with their social networking profiles, creating yet more potential problems.
The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.
The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.
The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform is a swiss cheese of security vulnerabilities and poor practices.
“The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database… since the user names and passwords are by default the same as the user’s webmail account — such as Hotmail, Yahoo or Gmail — this is a major lapse in security,” Shulman said.
“Unfortunately some accounts had already been compromised before the vulnerability was fixed,” Shulman said. “All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk.”
It’s unclear why RockYou left passwords on its systems without encrypting them in the first place. We dropped a note to the developers asking for a response on this point on Tuesday, but are yet to hear back. We’ll update this story as and when we know more.
RockYou has reportedly fixed the issue, but this may have come too late for some.
Credit: The Register, TechCrunch.com
More on CyberInsecure: