MySql.com Hacked With Sql Injection

← Back to Stories (view on slashdot.org)

MySql.com Hacked With Sql Injection

Posted by samzenpus on Sunday March 27, 2011 @09:36AM from the we-got-a-breach dept.

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

6 of 288 comments (clear)

Min score:

Reason:

Sort:

Incoming botswarm by symbolset · 2011-03-27 09:40 · Score: 5, Funny

Microsoft web serving products? How dumb can can a bot get? Turing fail.

--
Help stamp out iliturcy.
Yo Dawg by mrstrano · 2011-03-27 09:56 · Score: 5, Funny

I herd you like Sql, so we injected Sql in your Sql so you can have Sql while you code MySql
1. Re:Yo Dawg by MarkRose · 2011-03-27 10:48 · Score: 5, Funny
  
  An SQL statement walks into a bar and sees two tables and says, "Hello, may I join you?"
  
  --
  Be relentless!
Re:Too bad by KiloByte · 2011-03-27 10:39 · Score: 5, Insightful

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.
I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

--
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Re:Another report by PopeRatzo · 2011-03-27 10:48 · Score: 5, Insightful

Note the parent's comment.
Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.
One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

--
You are welcome on my lawn.
Re:USE BIND VARIABLES by Just+Some+Guy · 2011-03-27 12:07 · Score: 5, Insightful

SQL = """ SELECT make, model FROM vehicle WHERE vin IN (%s) """ % ', '.join(["%s"] * len(VINs))

My eyes, they bleed! Write that like:

VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789") SQL = """ SELECT make, model FROM vehicle WHERE vin = ANY(%(vin)s)""" dbconn.execute(SQL, {'vin': VINs})

Or even better:

vehicles = session.query(Vehicle).filter(Vehicle.vin.in_(VINs))

Voila. Those work, they're not hideous, and they prevent injection. To repeat the earlier idea: there's no need to write unsafe code. If you are, you're in the wrong line of work.

--
Dewey, what part of this looks like authorities should be involved?