Pizza Lovers Suffer Data Breach From Hell 164
netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"
SQL Injection (Score:4, Informative)
This isn't news.
Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.
Risky.Biz Explaination (Score:5, Informative)
Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.
MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.
Old news, except for Hell (Score:5, Informative)
The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.
Here's a blog [geekzone.co.nz] by the owner of the geekzone forum [geekzone.co.nz] that initially discovered the problem (because someone received spam from a disposable email address they used with the company.
Re:It's a concern... (Score:3, Informative)
Its actually a really nice place. Without a doubt the best place I have been outside Australia. Their government is small scale, but it seems to work better that way.
at least they were upfront about it (Score:5, Informative)
I received an email from Hell just under a week ago:
"Dear Valued Hell Customer,
We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation. The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint."
They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.
Re:The Good Old Pizza Times (Score:2, Informative)
replying due to unintentional mod.
Re:SQL Injection (Score:4, Informative)
Re:What I don't understand... (Score:1, Informative)
Surely, if that's all they are storing the email address for, they should store a hash of the address instead. Passwords can be recovered by entering the username and email, the email is checked against the hash and then used to send out the password change details.
Less plaintext data in the database means less data escapes during a breach. Yes it would still be possible for addresses to be tested against the exposed hash column in the hope of a few matches, but at least it's not a phishers to-do list.
Re:It's a concern... (Score:1, Informative)
Yes, you also clearly have no sense of humor.
Re:What I don't understand... (Score:4, Informative)
http://www.bluemaumau.org/police_and_collection_agencies_love_dominos_database_pizza_lovers [bluemaumau.org]
They store it and happily sell it.
P.S. dominoes pizza is nasty. Try a real pizza place like a smaller mom and pop that wants to make quality instead of the cheapest high profit one they can.