|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Year
Select Year: 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
List of incidents for the year 2005
64 incidents listed
Reported: 17 February 2008Occurred: 09 March 2005
Classifications:
- Attack Method: Insufficient Anti-automation
- Country: USA
- Outcome: Leakage of Information
- Vertical: Information Services
The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.
In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.
As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.
Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.
References:
Reported: 20 November 2007Occurred: 01 March 2005
Classifications:
- Attack Method: Abuse of Functionality
- Country: USA
- Outcome: Monetary Loss
A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.
References:
Reported: 14 August 2007Occurred: 31 December 2005
Classifications:
While lacking in technical details, this story is certainly juicy. It demonstrates well the business use of web site hacking. The downside is that the hacker got only a minimal punishment, which unless the incident itself is overrated in the media, is a very bad sign on how courts view computer crime.
References:
Reported: 06 May 2007Occurred: 03 May 2005
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Origin: Saudi Arabia
- Outcome: Defacement
- Vertical: Technology
This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!
References:
Reported: 18 April 2007Occurred: 01 November 2005
Classifications:
- Attack Method: SQL Injection
3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.
As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.
References:
Reported: 12 April 2006Occurred: 18 October 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.
References:
Reported: 28 February 2006Occurred: 18 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies
References:
Reported: 28 February 2006Occurred: 22 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.
References:
Reported: 28 February 2006Occurred: 05 December 2005
Classifications:
- Attack Method: Abuse of Functionality
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.
References:
Reported: 28 February 2006Occurred: 24 December 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.
References:
Reported: 28 February 2006Occurred: 23 November 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.
References:
Reported: 28 February 2006Occurred: 21 November 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
XSS in Google Base search function
References:
Reported: 28 February 2006Occurred: 21 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.
References:
- XSS vulnerabilities in Google.com
Advisory, Watchfire, 21 December 2005
- Google Cross-Site Scripting Flaw Fixed
News Story, Beta News, 21 December 2005
- Google plugs 'obscure' phishing holes
News Story, CNet, 21 December 2005
- Google XSS Example
Blog Entry, Chris Shiflett, 21 December 2005
- Google's XSS Vulnerability
Blog Entry, Chris Shiflett, 21 December 2005
Reported: 26 February 2006Occurred: 01 November 2005
Classifications:
- Attack Method: SQL Injection
A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.
References:
Reported: 26 February 2006Occurred: 01 July 2005
Classifications:
- Attack Method: Known Vulnerability
- Outcome: Disclosure Only
An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel. The audit focused on lack of monitoring for known vulnerabilities on these systems.
References:
Reported: 26 February 2006Occurred: 27 December 2005
Classifications:
- Attack Method: Unknown
- Outcome: Disclosure Only
Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others
References:
Reported: 26 February 2006Occurred: 21 December 2005
Classifications:
User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software.
References:
Reported: 26 February 2006Occurred: 14 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.
References:
Reported: 26 February 2006Occurred: 09 December 2005
Classifications:
A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked.
References:
Reported: 10 November 2005Occurred: 10 October 2005
Classifications:
- Attack Method: Other
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: 10 November 2005Occurred: 07 November 2005
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 10 November 2005Occurred: 21 October 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
XSS in Yahoo mail, Allows phishing
References:
Reported: 10 November 2005Occurred: 21 October 2005
Classifications:
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
The software has a default password for teachers, enabling anyone to access the system with teachers privileges.
References:
Reported: 08 November 2005Occurred: 04 October 2005
Classifications:
Script upload due to a scoop known vulnerability
References:
Reported: 08 November 2005Occurred: 10 April 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Worm
The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.
References:
- My Lunch With Samy
Blog Entry, ha.ckers, 10 March 2007
- MySpace XSS worm writer notes
Hacker Notes, bindshell, 10 April 2005
- MySpace XSS worm source
Technical Description, bindshell, 10 April 2005
- MySpace XSS virus development
Technical Description, bindshell, 10 April 2005
- Cross-Site Scripting Worm Hits MySpace
News Story, Beta News, 10 April 2005
Reported: 08 November 2005Occurred: 28 October 2005
Classifications:
- Attack Method: Other
- Attack Method: Insufficient Authorization
Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.
References:
Reported: 08 November 2005Occurred: 02 November 2005
Classifications:
- Attack Method: Insufficient Authorization
Business wire allowed access to non published press releases.
References:
Reported: 08 November 2005Occurred: 25 May 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: 08 November 2005Occurred: 10 March 2005
Classifications:
- Attack Method: Insufficient Authorization
References:
Reported: 08 November 2005Occurred: 04 October 2005
Classifications:
- Attack Method: OS Commanding
Exploited unpatched Twiki
References:
Reported: 12 September 2005Occurred: 08 September 2005
Classifications:
- Attack Method: Unknown
- Attack Method: Denial of Service
Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities
References:
Reported: 12 September 2005Occurred: 07 September 2005
Classifications:
A 12 years old guess login information of a woman and abused her account, stealing game items from her.
References:
Reported: 04 September 2005Occurred: 29 August 2005
Classifications:
- Attack Method: Abuse of Functionality
A player of an online game discovered that considerable delay hinted on the cards the dealer holds.
References:
Reported: 23 August 2005Occurred: 21 August 2005
Classifications:
- Attack Method: OS Commanding
Sites where defaced by utilizing an issue in an XMLRPC library used by PHP
References:
Reported: 22 August 2005Occurred: 12 August 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle
References:
Reported: 22 August 2005Occurred: 18 August 2005
Classifications:
- Attack Method: Insufficient Authentication
References:
Reported: 08 August 2005Occurred: 03 August 2005
Classifications:
- Attack Method: Weak Password Recovery Validation
- Outcome: Disclosure Only
Weak password recovery procedure at Citrix
References:
Reported: 08 August 2005Occurred: 29 July 2005
Classifications:
A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site
References:
Reported: 04 August 2005Occurred: 31 July 2005
Classifications:
Official answer from Blogger. "This was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].
References:
Reported: 04 August 2005Occurred: 01 August 2005
Classifications:
References:
Reported: 31 July 2005Occurred: 30 July 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society
References:
Reported: 31 July 2005Occurred: 26 July 2005
Classifications:
A man hacked into a competing web site
References:
Reported: 31 July 2005Occurred: 28 July 2005
Classifications:
- Attack Method: Path Traversal
- Outcome: Disclosure Only
References:
Reported: 15 July 2005Occurred: 15 July 2005
Classifications:
References:
- Firefox marketing site hacked
News Story, Zdnet, 15 July 2005
- Firefox marketing site hacked
News Story, C-Net, 15 July 2005
- Promotional firefox community site hacked
News Story, ars technica, 15 July 2005
- SpreadFirefox Site Hacked, Data Leaked
News Story, eWeek, 15 July 2005
- Spread Firefox Downtime
Official Response, Spread Firefox, 15 July 2005
- Mozilla marketing site hacked
News Story, Network World, 15 July 2005
Reported: 11 July 2005Occurred: 12 January 2005
Classifications:
- Attack Method: Unknown
- Outcome: Disclosure Only
Parameter tampering enabled exposing sensitive information in G-Mail
References:
Reported: 11 July 2005Occurred: 14 January 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in Froogle
References:
Reported: 11 July 2005Occurred: 22 February 2005
Classifications:
- Attack Method: OS Commanding
- Attack Method: Weak Password Recovery Validation
- Attack Method: Insufficient Authentication
Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic
References:
Reported: 11 July 2005Occurred: 06 July 2005
Classifications:
Microsoft UK site defaced due to server misconfiguration
References:
Reported: 11 July 2005Occurred: 07 July 2005
Classifications:
- Attack Method: SQL Injection
The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.
References:
Reported: 08 April 2005Occurred: 08 March 2005
Classifications:
- Attack Method: Unknown
- Outcome: Disclosure Only
An undisclosed application security issue on Cisco web site required resetting passwords for all registered users.
References:
- Cisco.com passwords reset after Web site exposure
News Story, Computer World, 08 March 2005
- Cisco Web Site Breached by Hackers
News Story, Beta News, 08 March 2005
- Cisco warns customers of site breach
News Story, Cnet, 08 March 2005
- Cisco Connection Online Compromised?
Mirror of Victim's Response, TaoSecurity Blog, 08 March 2005
- Cisco Web Portal Password Security Compromised
News Story, eWeek, 08 March 2005
Reported: Occurred: 18 May 2005
Classifications:
- Attack Method: SQL Injection
References:
Reported: Occurred: 29 July 2005
Classifications:
References:
Reported: Occurred: 16 February 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.
References:
Reported: Occurred: 02 March 2005
Classifications:
- Attack Method: Credential/Session Prediction
Parameter tampering to jump into someone else's account data
References:
Reported: Occurred: 03 March 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Content Spoofing
References:
Reported: Occurred: 05 July 2005
Classifications:
- Attack Method: SQL Injection
- Attack Method: OS Commanding
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.
References:
Reported: Occurred: 27 June 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: Occurred: 27 May 2005
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
Files containing sensitive information left unprotected on the web server
References:
Reported: Occurred: 05 May 2005
Classifications:
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
Extranet system accessible to the public
References:
Reported: Occurred: 23 February 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site
References:
Reported: Occurred: 01 February 2005
Classifications:
- Attack Method: Directory Indexing
- Attack Method: Insufficient Authentication
- Outcome: Leakage of Information
Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords
References:
Reported: Occurred: 03 June 2005
Classifications:
The web site was modified to include password stealing code
References:
Reported: Occurred: 05 June 2005
Classifications:
References:
Reported: Occurred: 04 June 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
- Microsoft fixes Hotmail hack
News Story, VUnet, 09 June 2005
- Hotmail users exposed to cookie snaffling exploit
News Story, The Registrer, 08 June 2005
- MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes
News Story, PC Magazine, 07 June 2005
- MSN flaw put Hotmail accounts at risk
News Story, CNet, 06 June 2005
- Hacking hotmail, by Alex de Vries
Technical Information, Personal Web Page, 04 June 2005
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
