Web Application Security Consortium - Web hacking Incidents Database (WHID)

Date: 31 December 2005
Incident Type: Security Breach
WASC Threat Classification:

While lacking in technical details, this story is certainly juicy. It demonstrates well the business use of web site hacking. The downside is that the hacker got only a minimal punishment, which unless the incident itself is overrated in the media, is a very bad sign on how courts view computer crime.

References:

Web designer sentenced for hacking competitor's site [CNet]

WHID 2005-60: KU shuts down housing application Web site

Date: 27 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Unknown

Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others

References:

KU shuts down housing application Web site [Associated Press]

WHID 2005-59: Vote Someone Else's Shares

Date: 24 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction, Insufficient Authentication

Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.

References:

Vote Someone Else's Shares [Bruce Schneier]

WHID 2005-58: Yahoo mail Cross Site Scripting

Date: 22 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.

References:

Yahoo mail Cross Site Scripting [Morx]

WHID 2005-57: RPG site bit by hackers

Date: 21 December 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software.

References:

RPG site bit by hackers [SC Mazagine]

WHID 2005-56: XSS vulnerabilities in Google.com

Date: 21 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.

References:

XSS vulnerabilities in Google.com [Watchfire]

Google Cross-Site Scripting Flaw Fixed [Beta News]

Google plugs 'obscure' phishing holes [CNet]

Google XSS Example [Chris Shiflett]

Google's XSS Vulnerability [Chris Shiflett]

WHID 2005-55: Yahoo RSS XSS Vulnerability

Date: 18 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies

References:

Yahoo RSS XSS Vulnerability [alljer.com]

WHID 2005-54: XSS vulnerability in NIST web site

Date: 14 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.

References:

US Government Security Site Vulnerable to Common Attack [NetCraft]

WHID 2005-53: Charity Web Site Hacked

Date: 09 December 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked.

References:

Police investigate charity credit card data hack [Silicon.com]

WHID 2005-51: Critical MySpace Vulnerabilities Leave Every Active Account Exploitable

Date: 05 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Abuse of Functionality, Cross-site Scripting

An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.

References:

Critical Myspace Vulnerabilities Leave Every Active Account Exploitable [Silent Productions]

WHID 2005-50: XSS on Yahoo Mail

Date: 23 November 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.

References:

XSS on Yahoo Mail [Bugtraq]

XSS on Yahoo Mail [Bugtraq]

WHID 2005-49: Google Base launched with security hole

Date: 21 November 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

XSS in Google Base search function

References:

Google Base launched with security hole [PC World]

More Google security failures [Jibbering.com]

WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site

Date: 07 November 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

References:

Zero Day Pizza Party - Yo Noid Advisory #00001 ["Full Disclosure" Mailing List]

Pizza chain caught without fully baked security [Cnet]

WHID 2005-47: SEC Vs. The Estonian Spiders

Date: 02 November 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

Business wire allowed access to non published press releases.

References:

SEC Vs. The Estonian Spiders [Web Pro News]

WHID 2005-46: Teen uses SQL injection to break to a security magazine web site

Date: 01 November 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.

References:

Teenage hacker facing court case for data theft [Taipe Times]

WHID 2005-62: Guidance Software

Date: 01 November 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.

As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.

References:

United States Of America Federal Trade Commission In The Matter Of Guidance Software, Inc. [Federal Trade Commission]

Guidance Software Investigating Stolen Data [Internet News]

FTC Approves Final Guidance Settlement [Internet News]

WHID 2005-44: Xoops web site hacked

Date: 28 October 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Other

Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.

References:

Xoops web site hacked [Vendor Web Site]

WHID 2005-43: XSS in Yahoo's Web mail enables phishing

Date: 21 October 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

XSS in Yahoo mail, Allows phishing

References:

Yahoo fixes Web mail security flaw [News.com]

WHID 2005-42: Default password in a common application used by schools

Date: 21 October 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication

The software has a default password for teachers, enabling anyone to access the system with teachers privileges.

References:

Software glitch reveals private data for thousands of state's students S.F. administrators close program to update passwords [Sfgate]

WHID 2005-61: Gmail session management bug

Date: 18 October 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction

A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.

References:

Gmail bug [elhacker.net]

Google Downplays Gmail Security Fix [eWeek]

WHID 2005-41: XSS on Google's AdWords enables phishing

Date: 10 October 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting, Other

References:

Google fixes Web site security bug [News.com]

WHID 2005-40: Defacement of several Novell websites

Date: 04 October 2005
Incident Type: Security Breach
WASC Threat Classification: Other

Script upload due to a scoop known vulnerability

References:

Defacement of several Novell websites [Mailing list post]

WHID 2005-39: Promotional Firefox community site hacked (again)

Date: 04 October 2005
Incident Type: Security Breach
WASC Threat Classification: OS Commanding

Exploited unpatched Twiki

References:

Promotional Firefox community site hacked (again) [ARStechnica]

SpreadFirefox.com Community Website Hacked Once Again [ARStechnica]

WHID 2005-38: Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers

Date: 08 September 2005
Incident Type: Security Breach
WASC Threat Classification: Denial of Service, Unknown

Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities

References:

Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers [Press Release]

WHID 2005-37: A 12 years old hacked an online game and stole game items

Date: 07 September 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

A 12 years old guess login information of a woman and abused her account, stealing game items from her.

References:

Boy, 12, referred to child guidance center for hacking into online game site [Manchini Daily News]

WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino

Date: 29 August 2005
Incident Type: Security Breach
WASC Threat Classification: Abuse of Functionality

A player of an online game discovered that considerable delay hinted on the cards the dealer holds.

References:

Online Games Are Written By Humans [Personal ]

WHID 2005-35: Stanford University web sites defaced using XMLRPC bug

Date: 21 August 2005
Incident Type: Security Breach
WASC Threat Classification: OS Commanding

Sites where defaced by utilizing an issue in an XMLRPC library used by PHP

References:

Brazilian defacers hack hundreds of Stanford University web sites [Zone-H]

WHID 2005-34: Man logs into dabs.com misc customer account

Date: 18 August 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication

References:

Man logs into dabs.com customer account shocker [channel register]

WHID 2005-33: Insufficient authorization on Verizon's MyAccount feature

Date: 12 August 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction, Insufficient Authentication

A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle

References:

Glitch on Verizon Wireless Web Site Left Data at Risk [Washington Post]

WHID 2005-32: Weak password recovery on Citrix's site

Date: 03 August 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Weak Password Recovery Validation

Weak password recovery procedure at Citrix

References:

Example of the worst passwd recovery interface [WebAppSec mailing list]

WHID 2005-31: Hacker forced new planet discovery out of the closet

Date: 01 August 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

References:

Hacker forced new planet discovery out of the closet [The Inquierer]

WHID 2005-30: "Blogger Developers Network" Blog, Cracked

Date: 31 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

Official answer from Blogger. "This was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].

References:

"Blogger Developers Network" Blog, Cracked []

WHID 2005-29: Security issues in interactive hotel TVs

Date: 30 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction, Insufficient Authentication

While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society

References:

A Hacker Games the Hotel [Wired]

WHID 2005-27: Phishers hack eBay

Date: 29 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site

References:

Phishers hack eBay [MacWorld]

WHID 2005-28: Phishers Steal Trust from eBay Sign In Pages

Date: 29 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

References:

Phishers Steal Trust from eBay Sign In Pages [Netcraft]

WHID 2005-26: NISCC reveals SAP R/3 security flaw

Date: 28 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Path Traversal

References:

NISCC reveals SAP R/3 security flaw [Computer Weekly]

WHID 2005-25: No Charges Filed Yet Against South Charlotte Computer Hacker

Date: 26 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

A man hacked into a competing web site

References:

No Charges Filed Yet Against South Charlotte Computer Hacker [WSOC-TV]

WHID 2005-24: Firefox marketing site hacked

Date: 15 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

References:

Firefox marketing site hacked [Zdnet]

Firefox marketing site hacked [C-Net]

Promotional firefox community site hacked [ars technica]

SpreadFirefox Site Hacked, Data Leaked [eWeek]

Spread Firefox Downtime [Spread Firefox]

Mozilla marketing site hacked [Network World]

WHID 2005-23: Chinese hacker held in Web data theft

Date: 07 July 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.

References:

Chinese hacker held in Web data theft [Asahi Shimbun]

WHID 2005-22: MS UK defaced in hacking attack

Date: 06 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

Microsoft UK site defaced due to server misconfiguration

References:

MS UK defaced in hacking attack [The Register]

MS UK Zone-H defacements archive [Zone-H]

WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data

Date: 05 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, OS Commanding, SQL Injection

A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.

References:

Man charged with accessing USC student data [Security Focus]

Flawed USC admissions site allowed access to applicant data [Security Focus]

WHID 2005-20: Security gaps found in EPA contracting system

Date: 01 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Known Vulnerabity

An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel. The audit focused on lack of monitoring for known vulnerabilities on these systems.

References:

Security gaps found in EPA contracting system [GovExec]

Information Security Series: Security Practices - Integrated Contract Management System [EPA]

WHID 2005-19: Privacy Fears due to insufficient authentication on CVS drugstore chain web site

Date: 27 June 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction

References:

Privacy Fears Prompt CVS To Turn Off Online Service [Computer World]

WHID 2005-18: Hacker hits Duke system

Date: 05 June 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

References:

Hacker hits Duke system [The News Observer]

WHID 2005-17: Leakage of information due to XSS in Hotmail

Date: 04 June 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

References:

Microsoft fixes Hotmail hack [VUnet]

Hotmail users exposed to cookie snaffling exploit [The Registrer]

MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes [PC Magazine]

MSN flaw put Hotmail accounts at risk [CNet]

Hacking hotmail, by Alex de Vries [Personal Web Page]

WHID 2005-16: MSN site hacked in South Korea

Date: 03 June 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown

The web site was modified to include password stealing code

References:

Microsoft admits MSN site hacked in South Korea [USA Today]

MSN Site Hacking Went Undetected for Days [ABC News]

WHID 2005-15: Unprotected information on the University of Chicago web site

Date: 27 May 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

Files containing sensitive information left unprotected on the web server

References:

University of Chicago [Victim's Site]

Private records discovered on server [Chicago Maroon]

WHID 2005-14: XSS on Microsoft Xbox site allowed phishing

Date: 25 May 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

References:

Microsoft plugs phishing hole in Xbox site [news.com]

WHID 2005-13: Hacker attacked weak point on Kakaku.com's Web Site

Date: 18 May 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

References:

Web sites get costly lesson in security [Asahi (Japan)]

Hacker attacked weak point on Kakaku.com's Web Site [Asahi (Japan)]

WHID 2005-12: Insufficient authentication on Arbela mutual insurance allowed access to private data

Date: 05 May 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication

Extranet system accessible to the public

References:

Insurer's website breach reveals data on drivers [The Boston Globe]

WHID 2007-18: Microsoft.com defaced

Date: 03 May 2005
Incident Type: Security Breach
WASC Threat Classification: SQL Injection

This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!

References:

Microsoft.com defaced [zone-H]

WHID 2005-11: XSS Worm Hits MySpace

Date: 10 April 2005
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting, Worm

The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.

References:

My Lunch With Samy [ha.ckers]

MySpace XSS worm writer notes [bindshell]

MySpace XSS worm source [bindshell]

MySpace XSS virus development [bindshell]

Cross-Site Scripting Worm Hits MySpace [Beta News]

WHID 2005-10: Indian SATs results leaking

Date: 10 March 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

References:

Indian SATs results leaking [Blog talkback]

WHID 2005-9: Undisclosed application security issue on Cisco's site forces global passwords reset

Date: 08 March 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Unknown

An undisclosed application security issue on Cisco web site required resetting passwords for all registered users.

References:

Cisco.com passwords reset after Web site exposure [Computer World]

Cisco Web Site Breached by Hackers [Beta News]

Cisco warns customers of site breach [Cnet]

Cisco Connection Online Compromised? [TaoSecurity Blog]

Cisco Web Portal Password Security Compromised [eWeek]

WHID 2005-8: eBay Redirect Becomes Phishing Tool

Date: 03 March 2005
Incident Type: Security Breach
WASC Threat Classification: Content Spoofing, Cross-site Scripting

References:

eBay Redirect Becomes Phishing Tool [Beta News]

WHID 2005-7: Hacker Tips Off B-School Applicants

Date: 02 March 2005
Incident Type: Security Breach
WASC Threat Classification: Credential/Session Prediction

Parameter tampering to jump into someone else's account data

References:

Hacker Tips Off B-School Applicants [The Crimson]

HBS/ApplyYourself Admit Status snafu [Personal Blog]

WHID 2005-6: Tampering with parameters allows access to others account data on PayMaxx Inc. site

Date: 23 February 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Credential/Session Prediction

Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site

References:

Payroll site closes on security worries [CNet]

Think Finds Flaw Revealing Up To 100,000 Social Security Numbers [Vulnerabiliy Publisher's Site]

WHID 2005-5: Paris Hilton's T-Mobile online account hacked

Date: 22 February 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, OS Commanding, Weak Password Recovery Validation

Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic

References:

Paris Hilton Hack Started With Old-Fashioned Con [Washington Post]

Paris Hilton: Victim of T-Mobile's Web Flaws? [PCWorld]

Known Hole Aided T-Mobile Breach [Wired.com]

How Paris Got Hacked? [O'Reilly Network]

WHID 2005-4: An Israeli debate site vulnerable to XSS

Date: 16 February 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.

References:

Identity theft in Hyde Park [nrg.co.il]

WHID 2005-3: Misconfiguration issues in paid wireless access and billing applications

Date: 01 February 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Directory Indexing, Information Leakage, Insufficient Authentication

Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords

References:

Think Discovers Critical Flaws in U.S. Transportation Security [Vulnerabiliy Publisher's Site]

WHID 2005-2: Froogle XSS

Date: 14 January 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Cross-site Scripting

An XSS was found in Froogle

References:

Google plugs brace of GMail security flaws [The Register]

Google Plugs Cookie-Theft Data Leak [eWeek]

Froogle XSS [Packet Storm]

WHID 2005-1: Gmail Bug Exposes E-mails messages of other users

Date: 12 January 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Unknown

Parameter tampering enabled exposing sensitive information in G-Mail

References:

Gmail Bug Exposes E-mails to Hackers [Beta News]

Gmail Messages Are Vulnerable To Interception [Slash.Dot]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.