Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security IT

Hacker Grabs 150k Adobe User Accounts Via SQL Injection 64

Posted by samzenpus
from the breaking-in dept.
CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."
This discussion has been archived. No new comments can be posted.

Hacker Grabs 150k Adobe User Accounts Via SQL Injection

Comments Filter:
  • by travbrad (622986) on Wednesday November 14, 2012 @07:36PM (#41986859)

    A shocking revelation

    • by fuzzyfuzzyfungus (1223518) on Wednesday November 14, 2012 @07:47PM (#41986965) Journal

      This is big news! Adobe has long been a dominant vendor in the market for atrocious desktop security; but here they are demonstrating their capacity for 'big data' and 'cloud-centric' server insecurity solutions. Even better, since the breach compromised the security of numerous individuals at third party companies, I'd say that this is a strong play for the lucrative 'managed insecurity' market enabled by the trend toward IT outsourcing...

      I, for one, am downright bullish about Adobe's prospects for subtracting value from the software ecosystem in new and exciting markets!

    • ...I thought they were called "Researchers"

      Now I'm all confused.

  • MD5?! (Score:2, Funny)

    by Anonymous Coward
    You'd think they'd use security they had more experience with, like rot-13.
  • Unforgivable (Score:5, Informative)

    by geekoid (135745) <dadinportland AT yahoo DOT com> on Wednesday November 14, 2012 @07:43PM (#41986931) Homepage Journal

    SQL injection? what is this, 1993?

    .

    • by Nyder (754090) on Wednesday November 14, 2012 @07:53PM (#41987027) Journal

      SQL injection? what is this, 1993?

      .

      About right, I think they took security out of the budget in 1992.

    • by Anonymous Coward

      My thoughts exactly.

      I mean, this stuff is so thoroughly known that it can be explained to pretty much anybody: http://www.unixwiz.net/techtips/sql-injection.html

      Now a-days REST vulnerabilities are all the rage but I guess it is easier to just use known attacks against companies that are incompetent and sit on their patents.

    • MD5, what is this 1993?

      I am sick of hearing how large companies somehow automaticly make good decisions on technology.

      MD5 is long broken and should have been discontinuted 10 years ago.
    • by Bengie (1121981)
      SQL injection "exploits" shouldn't be considered "hacking". It's more akin to someone leaving the door to the bank open than someone having to do any serious work.
      • by AK Marc (707885)
        Nah, the bank analogy is if they honored all withdrawal requests, and processed them overnight. If you walk up with a withdrawal for $1,000,000,000 in the name of Bobby Tables, they give you the cash and don't find out until the next day that they do not now, nor have ever had a Bobby Tables with an account there, and the account number 1234 is not in their system either.
    • NoSQL injections are the hot new thing.
    • SQL injection is a common type of hack. The MD5 piece is a bit crazy its only 128 bit encryption. I have no idea why they would even do that. MD5 hashes are also used to ensure the data integrity of files hash is NOT encryption.
      • by geekoid (135745)

        Yes, it is a common attack, and it's still an unforgivable error on the developer side. They should be fired and move into a field they are more qualified for. I'm thinking something in the service industry.

  • by johnjones (14274) on Wednesday November 14, 2012 @07:55PM (#41987037) Homepage Journal

    although they did a good job verifying the DB I have to wonder why the hacker mentioned this...

  • by NetNinja (469346) on Wednesday November 14, 2012 @08:16PM (#41987197)

    Poor network security standards.

    A simple Web Application Firewall would have prevented that.

    If they can't do something as simple as secure thier own website, thier products are even worse.

    • by El_Oscuro (1022477) on Wednesday November 14, 2012 @08:30PM (#41987315) Homepage
      I'm not sure how a firewall would prevent SQL injection, as the attack pass through the normal HTTP/HTTPS traffic and their own crappy web application is the attack vector. Then again, setting up any firewall is far more complex than the few lines of code or bind variables need to stop SQL injection attacks.
      • by ark1 (873448) on Wednesday November 14, 2012 @09:10PM (#41987617)
        A Web Application Firewall will inspect layer 7 traffic and can provide some protection against layer 7 attacks such as SQL injections. They act more like Intrusion Detection/Prevention Systems rather than traditional network firewalls.
        • by El_Oscuro (1022477) on Wednesday November 14, 2012 @10:08PM (#41988079) Homepage

          That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

          I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

          • by ark1 (873448)
            Like you said it should be part of a defence in depth strategy. Good secure coding practices are fundamental and a must but you can't rely on that alone. Deadlines get tight, people/QA get sloppy. Also sometimes you have no choice but to rely on 3rd party applications and who knows how these were developed (what is powering forums at connectusers.com? Site is offline at this time).

            Even with a layered approach, bypassing any security mechanism is still possible but you should keep at least the less skille
            • I think they should just wire C4 into the servers, and inspect the traffic. If an SQL injection is in the stream, detonate C4 charges.

              Simple.

              : D
      • Ya, it'd be easier to just do it right, but I imagine you could setup a firewall to... I dunno... not allow an entire database of several hundred meg to be dumped to a single request.
      • by wmbetts (1306001)

        Mod Security [modsecurity.org] is a good example of a web application firewall.

    • No it wouldn't. Unless they made the site unreachable.
  • by Kergan (780543) on Wednesday November 14, 2012 @08:20PM (#41987245)

    Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old.

    Color me puzzled... How the heck does Mr Beery have the slightest damn clue that the list appears to be valid and that -- even more incredibly -- the database was relatively old? He's hacking it every day?

    • by CrispBH (822439)

      I'd assume there's a timestamp column or two for things like last login etc. That would reveal how used the application that uses the database is. Imperva sell WAFs though... and the hacker is focusing on the lack of a WAF? That seems a bit odd to me, but I could be reading too much into it. In any case, it's no bad thing to have a WAF as an extra layer of security, but you should still be immune to such attacks even without one. It should be a nice to have, not a silver bullet (which it never will be)

  • I keep reading headlines one right after another about security hacks. And I feel like I'm getting warning fatigue*, I cannot comprehend how you IT security people are dealing with it. For me I got some computers that ***never*** connect to internet, and damned if I put critical stuff in The Cloud.

    *Warning fatigue: Described in the book, "Breaking The Mishap Chain" http://www.nasa.gov/connect/ebooks/break_mishap_chain_detail.html [nasa.gov] where authors describe when crews of a B1 flight test kept getting caution w

    • Hmmm... I never thought of anything like warning fatigue. It has definitely happened to me though:

      I was a System Admin for a ~50 user company, I had notification alerts on the three servers that would show me anything that appeared in event viewer that was anything higher than "Warning". I got so used to seeing so many random warnings that had no relevance (i.e. Print Spooler service being unable to start, not an issue until I need to print, not worth the time it would take to fix) I eventually pretty
  • by Zaiff Urgulbunger (591514) on Wednesday November 14, 2012 @08:46PM (#41987433)
    What's a WAF? I found Wife Acceptance Factor [wikipedia.org] but it seems doubtful this is the correct answer given the context!
  • Adobe is found guilty of wasting billions of their windows customers CPU processes with their "update me now?" tsr...

  • And shot.

    There's really no security team in place at Adobe, is there?

    • If Adobe and its products were put to death, what would replace Photoshop and Illustrator for print work? What vector animation tool would replace Flash CS?
      • by BitZtream (692029)

        On a Mac, Pixelmator would quickly replace Photoshop. You'd be going back several years ... back to when Photoshop sucked a fuckton less than it does now in reference to ... price, features and most importantly UI, but the injection of cash the Pixelmator team got would allow them to build in all the crud/crap you don't want from Photoshop fairly quickly anyway. Medicine would take a minor hit as Medical Photoshop is a weird beast that basically makes any sane person wonder how medical studies are given a

  • by Andy Prough (2730467) on Wednesday November 14, 2012 @08:55PM (#41987495)
    A simple once-per-year post reminding us that ALL of our private data has been sucked out of insecure online databases and is being sold on the Russian (or Indonesian or Egyptian or Chinese or Pennsylvanian) black-market should suffice.
  • It is pretty scary that many people write their frontends in a technology made by these people. And they think that gives them extra security!

    Adobe has crappy security. I've recently had the misfortune of having to work with Flash. I had to send files to the server from the client. Flash had some annoying restriction that you can't send a file to the server unless the user opened a dialog to pick a file. But guess what? It didn't matter because you can still send the files if you use don't use a conve

  • Strikes again!
  • by JDG1980 (2438906) on Thursday November 15, 2012 @04:50AM (#41989777)

    Adobe's level of public irresponsibility is crazy. Every week new vulnerabilities are found in Flash and Reader – more often, and more serious security holes, than in Windows, even though Windows is a whole OS and these programs should be much easier to keep bug-free in comparison. And now we find that they can't even keep their own internal databases safe. Preventing SQL injection really isn't that difficult; there are plenty of websites [bobby-tables.com] that tell you what you need to do. Just using parameterized queries will weed out most of the common SQL exploits. How much of Adobe's programming is being conducted now by people who just don't have any fucking idea what they're doing?

    There really needs to be a good alternative to Photoshop (no, GIMP doesn't count). Flash needs to be phased out as quickly as possible, and people need to stop using Adobe Reader if at all possible, and try to move away from any Reader-specific PDF "features". Most people who use the full version of Acrobat are wasting their money (it's amazing how many people have it installed just so they can print to PDF, when there are free programs that do the exact same thing just as well).

    • by SpzToid (869795)

      Agreed. If I was Microsoft, or Apple for that matter, I'd be all over Adobe for ruining The Platform. Linux users are SOL so far as Adobe is involved, but the linux users already knew that.

  • by sproketboy (608031) on Thursday November 15, 2012 @08:47AM (#41990825)

    http://www.md5crack.com/ [md5crack.com] uses google to find MD5 strings that have been indexed. No algorithm required.

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984

Working...