Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Grabs 150k Adobe User Accounts Via SQL Injection

Posted by samzenpus on from the breaking-in dept.

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

26 of 64 comments (clear)

  1. Adobe has bad security practices? by travbrad · · Score: 4, Insightful

    A shocking revelation

    1. Re:Adobe has bad security practices? by fuzzyfuzzyfungus · · Score: 4, Funny

      This is big news! Adobe has long been a dominant vendor in the market for atrocious desktop security; but here they are demonstrating their capacity for 'big data' and 'cloud-centric' server insecurity solutions. Even better, since the breach compromised the security of numerous individuals at third party companies, I'd say that this is a strong play for the lucrative 'managed insecurity' market enabled by the trend toward IT outsourcing...

      I, for one, am downright bullish about Adobe's prospects for subtracting value from the software ecosystem in new and exciting markets!

  2. MD5?! by Anonymous Coward · · Score: 2, Funny

    You'd think they'd use security they had more experience with, like rot-13.

    1. Re:MD5?! by GoogleShill · · Score: 2

      I'm sorry but rot-13 is no longer secure. I've upgraded everything to rot-26!

  3. Unforgivable by geekoid · · Score: 4, Informative

    SQL injection? what is this, 1993?

    .

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    1. Re:Unforgivable by Nyder · · Score: 5, Funny

      SQL injection? what is this, 1993?

      .

      About right, I think they took security out of the budget in 1992.

      --
      Be seeing you...
    2. Re:Unforgivable by larry+bagina · · Score: 2

      NoSQL injections are the hot new thing.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    3. Re:Unforgivable by a_hanso · · Score: 4, Funny

      Actually, a bank analogy is more like you walking up to the bank manager and saying "Hi, I have a complaint about a $100 discrepancy in my WRITE DOWN YOUR BANK VAULT COMBINATION." and the manager hypnotically doing just that.

  4. impervia make WAF... by johnjones · · Score: 2

    although they did a good job verifying the DB I have to wonder why the hacker mentioned this...

  5. Poor security standards by NetNinja · · Score: 3, Insightful

    Poor network security standards.

    A simple Web Application Firewall would have prevented that.

    If they can't do something as simple as secure thier own website, thier products are even worse.

    1. Re:Poor security standards by El_Oscuro · · Score: 3, Insightful

      I'm not sure how a firewall would prevent SQL injection, as the attack pass through the normal HTTP/HTTPS traffic and their own crappy web application is the attack vector. Then again, setting up any firewall is far more complex than the few lines of code or bind variables need to stop SQL injection attacks.

      --
      "Be grateful for what you have. You may never know when you may lose it."
    2. Re:Poor security standards by ark1 · · Score: 4, Informative

      A Web Application Firewall will inspect layer 7 traffic and can provide some protection against layer 7 attacks such as SQL injections. They act more like Intrusion Detection/Prevention Systems rather than traditional network firewalls.

    3. Re:Poor security standards by El_Oscuro · · Score: 5, Insightful

      That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

      I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

      --
      "Be grateful for what you have. You may never know when you may lose it."
    4. Re:Poor security standards by ark1 · · Score: 2

      Like you said it should be part of a defence in depth strategy. Good secure coding practices are fundamental and a must but you can't rely on that alone. Deadlines get tight, people/QA get sloppy. Also sometimes you have no choice but to rely on 3rd party applications and who knows how these were developed (what is powering forums at connectusers.com? Site is offline at this time).

      Even with a layered approach, bypassing any security mechanism is still possible but you should keep at least the less skilled attackers out.

    5. Re:Poor security standards by wmbetts · · Score: 2

      Mod Security is a good example of a web application firewall.

      --
      "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
  6. Something tells me you will be disappointed... by denzacar · · Score: 4, Funny

    http://www.securityweek.com/authors/tal-beery

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
  7. How the heck would he know?!? by Kergan · · Score: 3, Interesting

    Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old.

    Color me puzzled... How the heck does Mr Beery have the slightest damn clue that the list appears to be valid and that -- even more incredibly -- the database was relatively old? He's hacking it every day?

    1. Re:How the heck would he know?!? by CrispBH · · Score: 2

      I'd assume there's a timestamp column or two for things like last login etc. That would reveal how used the application that uses the database is. Imperva sell WAFs though... and the hacker is focusing on the lack of a WAF? That seems a bit odd to me, but I could be reading too much into it. In any case, it's no bad thing to have a WAF as an extra layer of security, but you should still be immune to such attacks even without one. It should be a nice to have, not a silver bullet (which it never will be) against all attacks. Prepared statements and so on should be mandatory for anyone wishing to call themselves a developer.

  8. What's a WAF? by Zaiff+Urgulbunger · · Score: 2

    What's a WAF? I found Wife Acceptance Factor but it seems doubtful this is the correct answer given the context!

    1. Re:What's a WAF? by Anonymous Coward · · Score: 2, Insightful

      To be fair, googling the term isn't very helpful here.

      Result #1 is a google code project for git.
      #2 is wikipedia's wife acceptance factor quoted by GP
      #3 is the wikipedia article covering #1
      #4 is acronyms.dictionary showing: WAF, Women in the Air Force (USAF; obsolete). WAF, Warendorf. WAF, WAF, We Are Family ...
      #5 is urban dictionary showing "Wack As Fuck"
      #6 is a website for World Architecture Festival
      #7 is WPF Application Framework, "The WPF Application Framework (WAF) is a lightweight Framework that helps you to create well structured WPF Applications"
      #8 is a sub-page of #1 containing documentation

      #9, the last result on the search, is finally "Web Application Firewall (WAF) - Real time protection from Web ..." from http://www.imperva.com/products/wsc_web-application-firewall.html

      Your snarky "let me google that for you" provides eight incorrect answers to his question!
      If you don't even know the answer and can't be bothered to even pretend to, perhaps you should stop complaining about others who actually put in effort to remove part of their ignorance.

    2. Re:What's a WAF? by Zaiff+Urgulbunger · · Score: 4, Informative

      Yeah, I blame the editors too -- quite frankly, standards here have slipped!

      Anyway, thanks for all the replies. For the common good, WAF in this article = Web Application Firewall

  9. Adobe needs to be taken out back... by HerculesMO · · Score: 2

    And shot.

    There's really no security team in place at Adobe, is there?

    --
    The price is always right if someone else is paying.
  10. Don't really need daily hacker updates anymore by Andy+Prough · · Score: 4, Funny

    A simple once-per-year post reminding us that ALL of our private data has been sucked out of insecure online databases and is being sold on the Russian (or Indonesian or Egyptian or Chinese or Pennsylvanian) black-market should suffice.

  11. After Adobe is executed by tepples · · Score: 2

    If Adobe and its products were put to death, what would replace Photoshop and Illustrator for print work? What vector animation tool would replace Flash CS?

  12. Adobe doesn't give a shit about security by JDG1980 · · Score: 2

    Adobe's level of public irresponsibility is crazy. Every week new vulnerabilities are found in Flash and Reader – more often, and more serious security holes, than in Windows, even though Windows is a whole OS and these programs should be much easier to keep bug-free in comparison. And now we find that they can't even keep their own internal databases safe. Preventing SQL injection really isn't that difficult; there are plenty of websites that tell you what you need to do. Just using parameterized queries will weed out most of the common SQL exploits. How much of Adobe's programming is being conducted now by people who just don't have any fucking idea what they're doing?

    There really needs to be a good alternative to Photoshop (no, GIMP doesn't count). Flash needs to be phased out as quickly as possible, and people need to stop using Adobe Reader if at all possible, and try to move away from any Reader-specific PDF "features". Most people who use the full version of Acrobat are wasting their money (it's amazing how many people have it installed just so they can print to PDF, when there are free programs that do the exact same thing just as well).

  13. did he use www.md5crack.com ? by sproketboy · · Score: 2

    http://www.md5crack.com/ uses google to find MD5 strings that have been indexed. No algorithm required.