Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySql.com Hacked With Sql Injection

Posted by samzenpus on from the we-got-a-breach dept.

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

7 of 288 comments (clear)

  1. The work of a lonely developer by danielcolchete · · Score: 4, Insightful

    Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).

  2. Re:That's Not Ironic by 6031769 · · Score: 4, Insightful

    Ironic is when one's words say one thing and one's actions another that contradict it.

    No, that's hypocrisy, not irony. Try again.

    --
    Burns: We're building a casino!
    McAllister: Arrr. Give me 5 minutes.
  3. Re:Too bad by KiloByte · · Score: 5, Insightful

    Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

    I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  4. Re:Another report by PopeRatzo · · Score: 5, Insightful

    Note the parent's comment.

    Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.

    One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

    --
    You are welcome on my lawn.
  5. Re:Does xkcd explain it? by Tridus · · Score: 3, Insightful

    I have that comic taped to my door. Any programmer who walks by, reads it, and doesn't laugh is someone I watch VERY carefully when they write any code that touches a database.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  6. Re:USE BIND VARIABLES by Just+Some+Guy · · Score: 5, Insightful

    SQL = """
    SELECT make, model
    FROM vehicle
    WHERE vin IN (%s)
    """ % ', '.join(["%s"] * len(VINs))

    My eyes, they bleed! Write that like:

    VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789")
    SQL = """
    SELECT make, model
    FROM vehicle
    WHERE vin = ANY(%(vin)s)"""
    dbconn.execute(SQL, {'vin': VINs})

    Or even better:

    vehicles = session.query(Vehicle).filter(Vehicle.vin.in_(VINs))

    Voila. Those work, they're not hideous, and they prevent injection. To repeat the earlier idea: there's no need to write unsafe code. If you are, you're in the wrong line of work.

    --
    Dewey, what part of this looks like authorities should be involved?
  7. Re:What year is it? by discord5 · · Score: 3, Insightful

    When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"

    Hahaha, reminds me of what I used to do to interns. We used to get a bunch of interns every year, and every year we'd have them develop small web applications for internal use. They'd work on their project and after a few weeks we'd come in and evaluate their work, steer them in the right direction (if that wasn't necessary earlier) and do a few tests.

    The first thing I always asked was "Do you have a backup?" and after the inevitable googling of the mysqldump command I'd be an utter bastard and sneak in a DROP TABLE, or DELETE FROM statement in the URL bar, right after id=x, and surely enough most of the times it would work.

    "It looks really great, but I think there's a problem with it. Maybe you want to check the logfiles to see what happened." to see if they'd see what was the problem, and if they didn't I would explain an SQL injection attack to them. Few of them managed to find the solution on google, but most immediately suggested such things as "I'll check for ; in the string" which inevitably led to me trashing their tables about 10 minutes later. I have to say, once they had their tables dropped twice they became real careful of permissions and handling SQL statements.

    In a way I hope they learned something from having a complete bastard as a mentor, although I'm sure that a few of them have already forgotten about that one time a single statement ruined their database. Oh well...