Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 19 December 2007
Occurred: 19 December 2007

Classifications:

Attack Method: Cross Site Scripting (XSS)
Country: USA
Outcome: Worm
Vertical: Internet

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.

References:

The Orkut XSS Worm
Blog Entry, GNU Citizen, 19 December 2007
Orkut XSS
Blog Entry, Sounds From The Dungeon, 19 December 2007
Orkut XSS worm in the wild
Blog Entry, CGI Security, 19 December 2007
Orkut Worm Code (and why was Google so slow to respond?)
Blog Entry, TechnoSocial, 19 December 2007

WHID 2007-65: Facebook suing a porn site over automated access

Reported: 19 December 2007
Occurred: 28 June 2007

Classifications:

Attack Method: Insufficient Anti-automation
Country: USA
Country: Canada
Vertical: Internet

Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler.

Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke.

References:

Facebook vs. John Doe
Court Document, US District Court, San Jose, CA, 23 October 2007
Facebook sues Canadian smut firm over hacking
News Story, The Register, 17 December 2007
Facebook suing Ontario porn firm
News Story, The Star, 16 December 2007

WHID 2007-59: Hackers jack Monster.com, infect job hunters

Reported: 21 November 2007
Occurred: 20 November 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Planting of Malware
Vertical: Internet

A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.

References:

Hackers jack Monster.com, infect job hunters
News Story, Computer World, 20 November 2007

WHID 2007-53: Google's Advanced Search Operators Abused by Spammers

Reported: 07 November 2007
Occurred: 02 November 2007

Classifications:

Attack Method: Redirection
Country: Global
Outcome: Phishing
Vertical: Internet

While most WHID entries are about web site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them to include a honest looking URL in their e-mail, this way bypassing spam filters and observant users.

Symantec response team found actively used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to the first result of a search. All the spammer is left with is finding a query for which his site would pop up first on Google.

This method has another advantage over a redirection page, as the final target is specified by a search string and not by a URL, bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.

References:

Google's Advanced Search Operators Abused by Spammers
Blog Entry, Symantec Response Team, 02 November 2007

WHID 2007-27: Files From Google On the Streets

Reported: 12 June 2007
Occurred: 30 May 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Internet

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.

References:

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google. Breaking News: Files From Google On the Streets
Blog Entry, The Hacker Webzine, 30 May 2007

WHID 2007-20: Pirate Bay breach leaks database

Reported: 14 May 2007
Occurred: 10 May 2007

Classifications:

Attack Method: SQL Injection
Country: Sweden
Outcome: Leakage of Information
Vertical: Internet

Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found. This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.

References:

Pirate Bay breach leaks database
News Story, Security Focus, 14 May 2007
User data stolen but not unsecured
Victim's Report, Private Bay, 11 May 2007
Pirate Bay says stolen database safe
News Story, The Inquierer, 14 May 2007

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.