Web Application Security Consortium - Web hacking Incidents Database (WHID)

Date: 10 October 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.

References:

US regional bank hacked [The Register]

Customer information compromised at bank [Columbia Tribune]

WHID 2007-51: 570 Scarborough & Tweed customers' personal information accessed by SQL injection

Date: 30 September 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.

References:

570 Scarborough & Tweed customers' personal information accessed by SQL injection [PogoWasRight.Org]

Scarborough & Tweed [State of New Hampshire]

WHID 2007-37: United Nations VS SQL Injections

Date: 12 August 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.

The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details

References:

United Nations VS SQL Injections [Hackademix]

UN's website breached by hackers [BBC]

WHID 2007-38: Gentoo takes server offline due to security vulnerabilities

Date: 07 August 2007
Incident Type: Security Breach
WASC Threat Classification: OS Commanding, SQL Injection

This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process. What can we learn from this? That no server is secure, and that patching is hard.

References:

Bugzilla Bug 187971 - Gentoo Website Command Injection Issue [Gentoo]

Analysis and Timeline of the Nuthatch exploitation attempts [Gentoo]

Log of all usages of the exploit [Gentoo]

Gentoo cuts key parts of itself from net for its own good [The Register]

WHID 2007-30: Microsoft UK site defaced

Date: 27 June 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.

References:

Microsoft.co.uk Succumbs to SQL Injection Attack [PC world]

Microsoft Defaced, again! [Zone-H]

Video Recording of the Attack [Hacker]

WHID 2007-20: Pirate Bay breach leaks database

Date: 10 May 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found. This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.

References:

Pirate Bay breach leaks database [Security Focus]

User data stolen but not unsecured [Private Bay]

Pirate Bay says stolen database safe [The Inquierer]

WHID 2007-19: Hacker accessed data at University of Missouri

Date: 08 May 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.

References:

Hacker accessed data at University of Missouri [MSNBC]

One-at-a-time hacker grabs 22,000 IDs from Univ. of Missouri [Computerworld]

May 2007 Security Incident [University of Missouri]

WHID 2007-12: SQL injection at knorr.de login page

Date: 02 March 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting, SQL Injection

While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.

References:

Knorr.de SQL Injection and XSS Vulnerabilities [Sebastian Bauer]

WHID 2007-21: Belgian Defense Ministry site defaced by Turks

Date: 15 January 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

The site of the Belgian Defense Ministry was defaced by Turks who protested a pro-Kurdish remarks by the Belgian government.

References:

Belgian defense ministry web site remains off line after weekend hacking [Associated Press]

WHID 2006-29: SQL Injection in BookMark4u

Date: 20 April 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

References:

Sql Injection in BookMark4u [M.o.H.a.J.a.L.i]

WHID 2006-27: SQL Injection in incredibleindia.org

Date: 29 March 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

www.incredibleindia.org is official Indian government tourism website.

The researcher has found that the parameter PageID in the page ms_Page.asp is vulnerable to SQL injection. He further tested that SQL error messages enable standard probing methods for finding out the number of columns and their type work.

References:

SQL Injection in incredibleindia.org [Susam Pal]

WHID 2006-10: NUJP website defacement seen not related to political crisis

Date: 02 March 2006
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

A mass defacement of a Philippine hosting service was carried our using SQL injection. It accidentally also defaced the site of the National Union of Journalists of the Philippines, which led some to believe that it was a targeted political attack.

References:

NUJP website defacement seen not related to political crisis [inq7]

WHID 2006-3: Russian hackers broke into a RI GOV website

Date: 13 January 2006
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies. The hackers claimed to have stolen 53,000 credit card numbers, while the hosting service provider claims the number was just 4113. The technical reference site is in Russian, you can use Applied Languages Solutions for an online translations.

References:

Hackers steal credit card info from R.I. Web site [Federal Computer Week]

Competition: As it was broken up ri.gov or as become the owner of the island []

WHID 2006-22: SQL injection in a banking application

Date: 01 January 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

A CIO of a bank in Singapore reports that many application layer vulnerabilities, including SQL injection, where discovered in a banking application they purchased before it was put into production.

References:

Pulled in All Directions [CIO Asia]

WHID 2005-62: Guidance Software

Date: 01 November 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.

As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.

References:

United States Of America Federal Trade Commission In The Matter Of Guidance Software, Inc. [Federal Trade Commission]

Guidance Software Investigating Stolen Data [Internet News]

FTC Approves Final Guidance Settlement [Internet News]

WHID 2005-46: Teen uses SQL injection to break to a security magazine web site

Date: 01 November 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.

References:

Teenage hacker facing court case for data theft [Taipe Times]

WHID 2005-23: Chinese hacker held in Web data theft

Date: 07 July 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.

References:

Chinese hacker held in Web data theft [Asahi Shimbun]

WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data

Date: 05 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, OS Commanding, SQL Injection

A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.

References:

Man charged with accessing USC student data [Security Focus]

Flawed USC admissions site allowed access to applicant data [Security Focus]

WHID 2005-13: Hacker attacked weak point on Kakaku.com's Web Site

Date: 18 May 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

References:

Web sites get costly lesson in security [Asahi (Japan)]

Hacker attacked weak point on Kakaku.com's Web Site [Asahi (Japan)]

WHID 2007-18: Microsoft.com defaced

Date: 03 May 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!

References:

Microsoft.com defaced [zone-H]

WHID 2004-17: The CardSystems breach was an SQL Injection hack

Date: 01 September 2004
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.

But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.

Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

References:

Cleaning up after a hack job: CardSystems' Christensen [Information Security (mirror)]

FTC complain In the Matter of CardSystems Solutions [FTC]

Midrange CardSystems Wiki [Midrange]

CardSystems was a Web Application Hack [Cesar Cerrudo, Argeniss]

CardSystems Exposes 40 Million Identities [Bruce Schneier]

WHID 2004-10: SQL Injection and XSS on presidential campaign web sites

Date: 30 June 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting, SQL Injection

References:

Campaign Sites Lack Security [Wired]

WHID 2004-5: More Scary Tales Involving Big Holes In Web-Site Security - Gateway

Date: 02 February 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

References:

More Scary Tales Involving Big Holes In Web-Site Security [Wallstreet Journal (Archive Copy)]

WHID 2003-9: Defenses lacking at social network sites

Date: 31 December 2003
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting, SQL Injection

References:

Defenses lacking at social network sites [Security Focus]

WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation

Date: 05 December 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

References:

Petco settles charge it left customer data exposed [Infoeworld]

Petco settles with FTC over cyber security gaffe [Security Focus]

FTC investigates PetCo.com security hole [Security Focus]

WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry

Date: 18 June 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: SQL Injection

References:

Guess Settles FTC Security Charges [FTC Web Site]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.