MySql.com Hacked With Sql Injection

← Back to Stories (view on slashdot.org)

MySql.com Hacked With Sql Injection

Posted by samzenpus on Sunday March 27, 2011 @09:36AM from the we-got-a-breach dept.

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

19 of 288 comments (clear)

Min score:

Reason:

Sort:

Incoming botswarm by symbolset · 2011-03-27 09:40 · Score: 5, Funny

Microsoft web serving products? How dumb can can a bot get? Turing fail.

--
Help stamp out iliturcy.
USE BIND VARIABLES by MoNsTeR · 2011-03-27 09:47 · Score: 4, Interesting

Jesus fuck, people. It's not rocket surgery.
If you use bind variables, you CANNOT be SQL-injected.
If you don't, you can be.
It's that fucking simple. Do The Right Thing.
1. Re:USE BIND VARIABLES by Dunbal · 2011-03-27 10:02 · Score: 4, Funny
  
  Jesus fuck, people. It's not rocket surgery.
  Apparently it's brain science.
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:USE BIND VARIABLES by Just+Some+Guy · 2011-03-27 12:07 · Score: 5, Insightful
  
  SQL = """ SELECT make, model FROM vehicle WHERE vin IN (%s) """ % ', '.join(["%s"] * len(VINs))
  
  My eyes, they bleed! Write that like:
  
  VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789") SQL = """ SELECT make, model FROM vehicle WHERE vin = ANY(%(vin)s)""" dbconn.execute(SQL, {'vin': VINs})
  
  Or even better:
  
  vehicles = session.query(Vehicle).filter(Vehicle.vin.in_(VINs))
  
  Voila. Those work, they're not hideous, and they prevent injection. To repeat the earlier idea: there's no need to write unsafe code. If you are, you're in the wrong line of work.
  
  --
  Dewey, what part of this looks like authorities should be involved?
3. Re:USE BIND VARIABLES by JustinRLynn · 2011-03-27 15:57 · Score: 4, Informative
  
  You know, I could be a smart arse and say this rules out most people that choose to use PHP, but I think my karma would burn. Oh wait....
Re:Another report by symbolset · 2011-03-27 09:49 · Score: 4, Informative

180 words, under 1 minute by the timestamp. It was actually under 30 seconds. Bot. A prepared response to any article containing "hacked" and "mysql"

--
Help stamp out iliturcy.
Yo Dawg by mrstrano · 2011-03-27 09:56 · Score: 5, Funny

I herd you like Sql, so we injected Sql in your Sql so you can have Sql while you code MySql
1. Re:Yo Dawg by MarkRose · 2011-03-27 10:48 · Score: 5, Funny
  
  An SQL statement walks into a bar and sees two tables and says, "Hello, may I join you?"
  
  --
  Be relentless!
2. Re:Yo Dawg by Sparks23 · 2011-03-27 11:10 · Score: 4, Funny
  
  Honestly, "YourSQL" seems more accurate than "MySQL" given that apparently even the developers can't keep control of their own database. ;P
  
  --
  --Rachel
The work of a lonely developer by danielcolchete · 2011-03-27 10:02 · Score: 4, Insightful

Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).
Re:That's Not Ironic by 6031769 · 2011-03-27 10:04 · Score: 4, Insightful

Ironic is when one's words say one thing and one's actions another that contradict it.
No, that's hypocrisy, not irony. Try again.

--
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
Yes it is by pavon · 2011-03-27 10:11 · Score: 4, Informative

Ironic is when one's words say one thing and one's actions another that contradict it.
No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.
Re:Too bad by KiloByte · 2011-03-27 10:39 · Score: 5, Insightful

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.
I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

--
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Re:Another report by PopeRatzo · 2011-03-27 10:48 · Score: 5, Insightful

Note the parent's comment.
Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.
One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

--
You are welcome on my lawn.
Re:That's Not Ironic by LordLucless · 2011-03-27 10:51 · Score: 4, Funny

Ironically, the OP correcting someone else for not using ironic correctly is both hypocritical and ironic.

--
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Re:That's Not Ironic by MarkRose · 2011-03-27 10:55 · Score: 4, Funny

Screwing up irony is the only thing that unleashes the linguists with such ferrousity.

--
Be relentless!
Re:That's Not Ironic by MarkRose · 2011-03-27 11:06 · Score: 4, Funny

Like Oracle not seeing it coming?

--
Be relentless!
Re:That's Not Ironic by dr2chase · 2011-03-27 11:39 · Score: 4, Funny

I think your pun detector is a little rusty.
Re:Another report by hairyfeet · 2011-03-27 12:32 · Score: 4, Interesting

Which is why I have a question: WTF is up with the MS Shill brigade on /. lately? I've only noticed it for about the past three weeks or so, but damned the shit is getting thick. Look at the one that posted on the Nook hack, the very first post is "I Wish Microsoft would have released the Courier" complete with link for those that don't know what that bullshit vaporware was in the first place. I mean did they get a deal on that HB Gary software or what? And why are they so insecure? I mean sure WinPhone is dead last but Windows 7 is nice, and the X360 is doing well. So what is up with the rampant MSFT shilling? Do they fire your ass if you don't post X number of shill posts or something?
As for TFA, garbage in, garbage out. I don't care if you code in VB 6 or Brainfuck if you write sloppy code it WILL come back to bite you in the ass. But trying to blame this on the language, to use a /. car analogy, would be like trying to blame Ford because someone got drunk and hit a kid with their Mustang. A tool is only as good as the person using it, full stop. I've seen clean code and lousy shit in just about every language. It ain't the tool that's the problem it is PEBKAC. But they should get extra points for the sheer irony factor. I mean a site promoting SQL falling for the oldest trick in the book? Bobby Drop Tables anyone?

--
ACs don't waste your time replying, your posts are never seen by me.