Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Grabs 150k Adobe User Accounts Via SQL Injection

Posted by samzenpus on from the breaking-in dept.

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

4 of 64 comments (clear)

  1. Adobe has bad security practices? by travbrad · · Score: 4, Insightful

    A shocking revelation

  2. Poor security standards by NetNinja · · Score: 3, Insightful

    Poor network security standards.

    A simple Web Application Firewall would have prevented that.

    If they can't do something as simple as secure thier own website, thier products are even worse.

    1. Re:Poor security standards by El_Oscuro · · Score: 3, Insightful

      I'm not sure how a firewall would prevent SQL injection, as the attack pass through the normal HTTP/HTTPS traffic and their own crappy web application is the attack vector. Then again, setting up any firewall is far more complex than the few lines of code or bind variables need to stop SQL injection attacks.

      --
      "Be grateful for what you have. You may never know when you may lose it."
    2. Re:Poor security standards by El_Oscuro · · Score: 5, Insightful

      That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

      I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

      --
      "Be grateful for what you have. You may never know when you may lose it."