An attacker using an SQL injection vulnerability recently downloaded 150,000 user emails and passwords from an Adobe database in an effort to underscore the security shortcomings at large companies, Dark Reading reported. Adobe confirmed the breach and temporarily took the affected website, Connectusers.com, offline.
Egyptian hacker Adam Hima, who goes by the handle “ViruS_HimA,” explained he was able to dump the database using fewer requests than a normal user due to an SQL injection vulnerability. He only leaked a portion of the affected emails, noting that his leak was not malicious and rather a statement intended as a response to Adobe’s typically slow response to vulnerability disclosures. Hima claimed that, upon being notified of vulnerabilities, Adobe takes as long as three or four months to fix them.
“I just want to be clear that I’m not going against Adobe or any other company,” he told Dark Reading. “I just want to see the biggest vendors safer than this. Every day we see attacks targeting big companies using exploits in Adobe, Microsoft, etc. So why don’t such companies take the right security procedures to protect them customers and even themselves?”
Handling SQL injection threats
An October trend report from Imperva found that SQL injection is now tied with DDoS as the most discussed topic on hacker forums. In 2011, it was ranked second. Despite the prevalence of such exploits, the study noted, very few security products can detect them, and spending on prevention remains low.
In a separate Dark Reading article, experts noted that the responsibility for preventing SQL injection exploits largely falls on developers. Flawed coding practices often create unnecessary risks, Andrew Moulton, senior software development engineer at Vigilant, told Dark Reading. He explained that coders should not assume they can outsmart the query planner and should instead incorporate SQL injection concerns into development. By using source code analysis tools, for instance, developers can spot problems as they occur in the code, rather than planning to patch vulnerabilities as they arise.
“If you prevent [SQL injection] by remembering to sanitize each bit of input that goes to the database, then you have not solved the problem, you are using a band aid with a failure rate – it’s Russian Roulette,” blogger Gustavo Duarte explained. “But you can truly solve the problem by using an architecture or tools such that SQL Injections are impossible to cause.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.