Contributors
Jeremiah Grossman
(WhiteHat Security)

Ofer Shezaf
(Breach Security) [Project Leader]

The Web Hacking Incidents Database
Last update:17 February 2008

The Web Hacking Incidents Database

New! The WHID annual report for 2007 is here!

About WHID: The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents.

The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only. Please refer to the FAQ for further information on what you will find and what you will not find in WHID.

WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. WHID has been features in Information Week and slash dot.

If you have additional information on those or other web hacking incidents, you are more than welcome to share this information with us.

Disclaimers: WHID is based entirely on public information. All the incidents listed here where reported publicly before on other web sites and each incident includes references to those sites. Please also note that unless mentioned otherwise all the vulnerabilities listed have already been fixed.

The Web Hacking Incidents Database is sponsored by Breach Security Inc.
Latest Incidents Reported
5 incidents listed
WHID 2005-65: LexisNexis Data Breach
Reported: 17 February 2008
Occurred: 09 March 2005

Classifications:

  • Attack Method: Insufficient Anti-automation
  • Country: USA
  • Outcome: Leakage of Information
  • Vertical: Information Services

The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.

In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.

As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.

Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.

References:

WHID 2007-85: IndiaTimes.com Visitors Risk High Exposure To Malware
Reported: 17 February 2008
Occurred: 09 November 2007

Classifications:

  • Attack Method: Unknown
  • Country: India
  • Outcome: Planting of Malware
  • Vertical: Media

The web site of a leading Indian newspaper is swamped with malware. A recent survey by WebSense cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.

References:

WHID 2008-12: Greek ministry websites hit by hacker intrusion
Reported: 17 February 2008
Occurred: 31 January 2008

Classifications:

  • Attack Method: Unknown
  • Country: Greece
  • Outcome: Defacement
  • Vertical: Government

This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?

References:

WHID 2007-86: Mac Blogs defaced using XSS
Reported: 17 February 2008
Occurred: 23 November 2007

Classifications:

  • Attack Method: Cross Site Scripting (XSS)
  • Country: Global
  • Outcome: Defacement
  • Vertical: Technology

The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.

References:

WHID 2008-11: Hacker breaks into Ecuador's presidential website
Reported: 12 February 2008
Occurred: 11 February 2008

Classifications:

  • Attack Method: Unknown
  • Country: Ecuador
  • Outcome: Defacement
  • Vertical: Government

Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?

References:

WHID 2008-10: Chinese hacker steals user information on 18 MILLION online shoppers at Auction.co.kr
Reported: 12 February 2008
Occurred: 10 February 2008

Classifications:

  • Attack Method: Cross Site Request Forgery (CSRF)
  • Country: Korea
  • Origin: China
  • Outcome: Downtime
  • Outcome: Leakage of Information
  • Vertical: Retail

A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.

The attack description is vague but can be best described as session hijacking.

This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.

References:


This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
 
© Copyright 2005, Web Application Security Consortium. All rights reserved.