Yahoo! Voices Hacked With SQL Injection – Passwords In Plaintext

Outsmart Malicious Hackers


There’s been a few HUGE cases of large sites being hacked and exposing either plaintext or extremely poorly encrypted passwords, it happened to LinkedIn not that long ago – and the latest case is of Yahoo!.

It wasn’t the main site, but with almost half a million username and password combos exposed – it’s a fairly large leak. It came from the Yahoo! Voices subdomain (Yahoo! Contributor Network) and seems to have been carried out with a fairly basic UNION type SQL Injection.

I imagine the database or old part of the site that powered the Yahoo! Contributor Network was developed way back in history before secure programming was as big (and as prominent) as it is now, and before frameworks took care of most the security nuts and bolts.

A Yahoo security breach that exposed 450,000 usernames and passwords from a site on the huge web portal indicates that the company failed to take even basic precautions to protect the data.

Security experts were befuddled Thursday as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, they were left in plain text, which means a hacker could easily read them.

“It is definitely poor security,” Marcus Carey, a security researcher at Rapid7, said. “It’s not even security 101. It’s basic application development 101.”

Yahoo declined a request for an interview, and only emailed a statement confirming the breach that occurred Wednesday. The company said that an “older file” containing roughly 450,000 user names and passwords was stolen from its Contributor Network, a subset of Yahoo’s massive network of Web sites. Membership in the Contributor Network consists of freelance journalists who write content for Yahoo Voices. The network was established following Yahoo’s 2010 acquisition of Associated Content.

Less than 5 percent of the stolen data had valid passwords, Yahoo said. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” the statement said.

Yahoo! seemed to have taken action fairly quickly, but still this is a very sloppy example of data security – even if it was an old system and a defunct one at that.

Unsurprisingly, the top 5 most common passwords in this data set were extremely easy to guess:

  • 123456
  • password
  • welcome
  • ninja
  • abc123

Ninja is a new entrant though, I don’t remember that being in the old common password lists, such as those in this article: The Top 10 Most Common Passwords


The breach had ramifications far beyond Yahoo, because the portal allowed people registering with the Contributor Network to use credentials from other sites to log in. Carey identified some of the other sites as Google’s Gmail, Microsoft’s Hotmail, AOL, Comcast and Verizon.

A hacker group called D33Ds Company took credit for the breach, and posted a statement on its website saying the attack was a warning. “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the group said, according to media reports. “There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”

The hackers claimed to use a common attack method called a SQL injection to access the database that fed the server hosting the site. A SQL injection typically involves sending commands through a search field or a URL to break into a poorly secured site. Tony Perez, chief operating officer for Sucuri, who used to work with defense contractors in developing secure applications, said Yahoo’s overall security lapses were a disservice to its users. “It makes you wonder. If a property like Yahoo at that scale is doing that, and they did it for their Yahoo Voices, what’s the probability of that also occurring in their other properties?”

The Yahoo breach occurred a month after professional social networking site LinkedIn acknowledged that 6.5 million usernames and passwords were stolen and posted on a Russian hacker forum. In that case, the passwords had been stored using a cryptographic method called hashing.

At least LinkedIn had the passwords hashed, albeit without salting – so they were pretty secure (but still not secure enough). Please hash, salt, use a salt on the physical disk from a file – oh there’s so many things developers can do to make sure if their system does get cracked – the damage is limited.

But do they do it, well mostly no – because product owners/managers are pushing out things with feature-set being the priority and anything else being pretty much unimportant.

It does make you wonder though, Yahoo! as an organization – how do they store their passwords for other web properties? I wouldn’t be surprised if it’s done with equal slackness.

Source: Network World

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

, , ,


Latest Posts:


BootStomp - Find Bootloader Vulnerabilities BootStomp – Find Android Bootloader Vulnerabilities
BootStomp is a Python-based tool, with Docker support that helps you find two different classes of bootloader vulnerabilities and bugs.
Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018 Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018
Google is ramping up its campaign against HTTP only sites and is going to mark ALL Non-HTTPS sites insecure in July 2018 with the release of Chrome 68.
altdns - Subdomain Recon Tool With Permutation Generation altdns – Subdomain Recon Tool With Permutation Generation
Altdns is a subdomain recon tool in Python that allows for the discovery of subdomains that conform to patterns. The tool takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
0-Day Flash Vulnerability Exploited In The Wild 0-Day Flash Vulnerability Exploited In The Wild
So another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects 28.0.0.137 and earlier versions
dorkbot - Command-Line Tool For Google Dorking dorkbot – Command-Line Tool For Google Dorking
dorkbot is a modular command-line tool for Google dorking, which is performing vulnerability scans against a set of web pages returned by Google search queries in a given Google Custom Search Engine.
USBPcap - USB Packet Capture For Windows USBPcap – USB Packet Capture For Windows
USBPcap is an open-source USB Packet Capture tool for Windows that can be used together with Wireshark in order to analyse USB traffic without using a Virtual Machine.


Comments are closed.