Hacker Grabs 150k Adobe User Accounts Via SQL Injection

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

Adobe has bad security practices?

[travbrad]

A shocking revelation

Re:Adobe has bad security practices?

[fuzzyfuzzyfungus]

This is big news! Adobe has long been a dominant vendor in the market for atrocious desktop security; but here they are demonstrating their capacity for 'big data' and 'cloud-centric' server insecurity solutions. Even better, since the breach compromised the security of numerous individuals at third party companies, I'd say that this is a strong play for the lucrative 'managed insecurity' market enabled by the trend toward IT outsourcing...

I, for one, am downright bullish about Adobe's prospects for subtracting value from the software ecosystem in new and exciting markets!

Wait...

[sycodon]

...I thought they were called "Researchers"

Now I'm all confused.

Obligatory xkcd reference

[fredprado]

http://xkcd.com/327/ [xkcd.com]

MD5?!

[Anonymous Coward]

You'd think they'd use security they had more experience with, like rot-13.

Re:

[GoogleShill]

I'm sorry but rot-13 is no longer secure. I've upgraded everything to rot-26!

Re:

[Cruciform]

In order to fend off those with modern hardware I've been using rot-104.
I intend to double that every 18 months just to be safe.

Re:

[fourchannel]

Amateurs, the pros use telnet.

: D

Unforgivable

[geekoid]

SQL injection? what is this, 1993?

.

Re:Unforgivable

[Nyder]

SQL injection? what is this, 1993?

.

About right, I think they took security out of the budget in 1992.

Re:

[Anonymous Coward]

My thoughts exactly.

I mean, this stuff is so thoroughly known that it can be explained to pretty much anybody: http://www.unixwiz.net/techtips/sql-injection.html

Now a-days REST vulnerabilities are all the rage but I guess it is easier to just use known attacks against companies that are incompetent and sit on their patents.

Re:

[davydagger]

MD5, what is this 1993?

I am sick of hearing how large companies somehow automaticly make good decisions on technology.

MD5 is long broken and should have been discontinuted 10 years ago.

Re:

[Bengie]

SQL injection "exploits" shouldn't be considered "hacking". It's more akin to someone leaving the door to the bank open than someone having to do any serious work.

Re:

[AK Marc]

Nah, the bank analogy is if they honored all withdrawal requests, and processed them overnight. If you walk up with a withdrawal for $1,000,000,000 in the name of Bobby Tables, they give you the cash and don't find out until the next day that they do not now, nor have ever had a Bobby Tables with an account there, and the account number 1234 is not in their system either.

Re:Unforgivable

[a_hanso]

Actually, a bank analogy is more like you walking up to the bank manager and saying "Hi, I have a complaint about a $100 discrepancy in my WRITE DOWN YOUR BANK VAULT COMBINATION." and the manager hypnotically doing just that.

Re:

[P-niiice]

Made me spit up my coffee. I thank you sir.

Re:

[a_hanso]

Welcome to slashdo.. oh wait. I see your user number. So, welcome me to slashdot?

Re:

[larry bagina]

NoSQL injections are the hot new thing.

Re:

[Chris Mattern]

Is that anything like drinking no tea?

Re:

[helix2301]

SQL injection is a common type of hack. The MD5 piece is a bit crazy its only 128 bit encryption. I have no idea why they would even do that. MD5 hashes are also used to ensure the data integrity of files hash is NOT encryption.

Re:

[geekoid]

Yes, it is a common attack, and it's still an unforgivable error on the developer side. They should be fired and move into a field they are more qualified for. I'm thinking something in the service industry.

impervia make WAF...

[johnjones]

although they did a good job verifying the DB I have to wonder why the hacker mentioned this...

Something tells me you will be disappointed...

[denzacar]

http://www.securityweek.com/authors/tal-beery [securityweek.com]

Poor security standards

[NetNinja]

Poor network security standards.

A simple Web Application Firewall would have prevented that.

If they can't do something as simple as secure thier own website, thier products are even worse.

Re:Poor security standards

[El_Oscuro]

I'm not sure how a firewall would prevent SQL injection, as the attack pass through the normal HTTP/HTTPS traffic and their own crappy web application is the attack vector. Then again, setting up any firewall is far more complex than the few lines of code or bind variables need to stop SQL injection attacks.

Re:Poor security standards

[ark1]

A Web Application Firewall will inspect layer 7 traffic and can provide some protection against layer 7 attacks such as SQL injections. They act more like Intrusion Detection/Prevention Systems rather than traditional network firewalls.

Re:Poor security standards

[El_Oscuro]

That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

Re:

[ark1]

Like you said it should be part of a defence in depth strategy. Good secure coding practices are fundamental and a must but you can't rely on that alone. Deadlines get tight, people/QA get sloppy. Also sometimes you have no choice but to rely on 3rd party applications and who knows how these were developed (what is powering forums at connectusers.com? Site is offline at this time).

Even with a layered approach, bypassing any security mechanism is still possible but you should keep at least the less skille

Re:

[fourchannel]

I think they should just wire C4 into the servers, and inspect the traffic. If an SQL injection is in the stream, detonate C4 charges.

Simple.

: D

Re:

[Charliemopps]

Ya, it'd be easier to just do it right, but I imagine you could setup a firewall to... I dunno... not allow an entire database of several hundred meg to be dumped to a single request.

Re:

[wmbetts]

Mod Security [modsecurity.org] is a good example of a web application firewall.

Re:

[thetoadwarrior]

No it wouldn't. Unless they made the site unreachable.

How the heck would he know?!?

[Kergan]

Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old.

Color me puzzled... How the heck does Mr Beery have the slightest damn clue that the list appears to be valid and that -- even more incredibly -- the database was relatively old? He's hacking it every day?

Re:

[CrispBH]

I'd assume there's a timestamp column or two for things like last login etc. That would reveal how used the application that uses the database is. Imperva sell WAFs though... and the hacker is focusing on the lack of a WAF? That seems a bit odd to me, but I could be reading too much into it. In any case, it's no bad thing to have a WAF as an extra layer of security, but you should still be immune to such attacks even without one. It should be a nice to have, not a silver bullet (which it never will be)

just another crappy day in paradise?

[k6mfw]

I keep reading headlines one right after another about security hacks. And I feel like I'm getting warning fatigue*, I cannot comprehend how you IT security people are dealing with it. For me I got some computers that ***never*** connect to internet, and damned if I put critical stuff in The Cloud.

*Warning fatigue: Described in the book, "Breaking The Mishap Chain" http://www.nasa.gov/connect/ebooks/break_mishap_chain_detail.html [nasa.gov] where authors describe when crews of a B1 flight test kept getting caution w

Re:

[davewoods]

Hmmm... I never thought of anything like warning fatigue. It has definitely happened to me though:

I was a System Admin for a ~50 user company, I had notification alerts on the three servers that would show me anything that appeared in event viewer that was anything higher than "Warning". I got so used to seeing so many random warnings that had no relevance (i.e. Print Spooler service being unable to start, not an issue until I need to print, not worth the time it would take to fix) I eventually pretty

What's a WAF?

[Zaiff Urgulbunger]

What's a WAF? I found Wife Acceptance Factor [wikipedia.org] but it seems doubtful this is the correct answer given the context!

Re:

[Anonymous Coward]

To be fair, googling the term isn't very helpful here.

Result #1 is a google code project for git.
#2 is wikipedia's wife acceptance factor quoted by GP
#3 is the wikipedia article covering #1
#4 is acronyms.dictionary showing: WAF, Women in the Air Force (USAF; obsolete). WAF, Warendorf. WAF, WAF, We Are Family ...
#5 is urban dictionary showing "Wack As Fuck"
#6 is a website for World Architecture Festival
#7 is WPF Application Framework, "The WPF Application Framework (WAF) is a lightweight Framework that helps

Re:What's a WAF?

[Zaiff Urgulbunger]

Yeah, I blame the editors too -- quite frankly, standards here have slipped!

Anyway, thanks for all the replies. For the common good, WAF in this article = Web Application Firewall [wikipedia.org]

Re:

[rwise2112]

Seems to me that #5 "Wack as fuck" most describes the Adobe security situation.

In Other News...

[fred911]

Adobe is found guilty of wasting billions of their windows customers CPU processes with their "update me now?" tsr...

Adobe needs to be taken out back...

[HerculesMO]

And shot.

There's really no security team in place at Adobe, is there?

After Adobe is executed

[tepples]

If Adobe and its products were put to death, what would replace Photoshop and Illustrator for print work? What vector animation tool would replace Flash CS?

Re:

[BitZtream]

On a Mac, Pixelmator would quickly replace Photoshop. You'd be going back several years ... back to when Photoshop sucked a fuckton less than it does now in reference to ... price, features and most importantly UI, but the injection of cash the Pixelmator team got would allow them to build in all the crud/crap you don't want from Photoshop fairly quickly anyway. Medicine would take a minor hit as Medical Photoshop is a weird beast that basically makes any sane person wonder how medical studies are given a

Don't really need daily hacker updates anymore

[Andy Prough]

A simple once-per-year post reminding us that ALL of our private data has been sucked out of insecure online databases and is being sold on the Russian (or Indonesian or Egyptian or Chinese or Pennsylvanian) black-market should suffice.

I'm glad Flash is dying

[bigsexyjoe]

It is pretty scary that many people write their frontends in a technology made by these people. And they think that gives them extra security!

Adobe has crappy security. I've recently had the misfortune of having to work with Flash. I had to send files to the server from the client. Flash had some annoying restriction that you can't send a file to the server unless the user opened a dialog to pick a file. But guess what? It didn't matter because you can still send the files if you use don't use a conve

Little Bobby Tables

[epp_b]

Strikes again!

Re:

[BitZtream]

Owners of Adobe software are probably not at risk nearly as much as all the people who now rent Adobe software for a monthly fee.

Adobe doesn't give a shit about security

[JDG1980]

Adobe's level of public irresponsibility is crazy. Every week new vulnerabilities are found in Flash and Reader – more often, and more serious security holes, than in Windows, even though Windows is a whole OS and these programs should be much easier to keep bug-free in comparison. And now we find that they can't even keep their own internal databases safe. Preventing SQL injection really isn't that difficult; there are plenty of websites [bobby-tables.com] that tell you what you need to do. Just using parameterized queries will weed out most of the common SQL exploits. How much of Adobe's programming is being conducted now by people who just don't have any fucking idea what they're doing?

There really needs to be a good alternative to Photoshop (no, GIMP doesn't count). Flash needs to be phased out as quickly as possible, and people need to stop using Adobe Reader if at all possible, and try to move away from any Reader-specific PDF "features". Most people who use the full version of Acrobat are wasting their money (it's amazing how many people have it installed just so they can print to PDF, when there are free programs that do the exact same thing just as well).

Re:

[SpzToid]

Agreed. If I was Microsoft, or Apple for that matter, I'd be all over Adobe for ruining The Platform. Linux users are SOL so far as Adobe is involved, but the linux users already knew that.

did he use www.md5crack.com ?

[sproketboy]

http://www.md5crack.com/ [md5crack.com] uses google to find MD5 strings that have been indexed. No algorithm required.