×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Grabs 150k Adobe User Accounts Via SQL Injection

samzenpus posted about a year and a half ago | from the breaking-in dept.

Security 64

CowboyRobot writes "Adobe today confirmed that one of its databases has been breached by a hacker and that it had temporarily taken offline the affected Connectusers.com website. The hacker, who also goes by Adam Hima, told Dark Reading that the server he attacked was the Connectusers.com Web server, and that he exploited a SQL injection flaw to execute the attack. 'It was an SQL Injection vulnerability, somehow I was able to dump the database in less requests than normal people do,' he says. Users passwords for the Adobe Connectusers site were stored and hashed with MD5, he says, which made them 'easy to crack' with freely available tools. And Adobe wasn't using WAFs on the servers, he notes. Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

64 comments

Why am I not surprised (0)

Anonymous Coward | about a year and a half ago | (#41986851)

http://it.slashdot.org/comments.pl?sid=3250037&cid=41978225

Management at Adobe needs to get their technical **** together.

Adobe has bad security practices? (4, Insightful)

travbrad (622986) | about a year and a half ago | (#41986859)

A shocking revelation

Re:Adobe has bad security practices? (4, Funny)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#41986965)

This is big news! Adobe has long been a dominant vendor in the market for atrocious desktop security; but here they are demonstrating their capacity for 'big data' and 'cloud-centric' server insecurity solutions. Even better, since the breach compromised the security of numerous individuals at third party companies, I'd say that this is a strong play for the lucrative 'managed insecurity' market enabled by the trend toward IT outsourcing...

I, for one, am downright bullish about Adobe's prospects for subtracting value from the software ecosystem in new and exciting markets!

MD5?! (2, Funny)

Anonymous Coward | about a year and a half ago | (#41986897)

You'd think they'd use security they had more experience with, like rot-13.

Unforgivable (4, Informative)

geekoid (135745) | about a year and a half ago | (#41986931)

SQL injection? what is this, 1993?

.

Re:Unforgivable (5, Funny)

Nyder (754090) | about a year and a half ago | (#41987027)

SQL injection? what is this, 1993?

.

About right, I think they took security out of the budget in 1992.

Re:Unforgivable (1)

Anonymous Coward | about a year and a half ago | (#41987209)

My thoughts exactly.

I mean, this stuff is so thoroughly known that it can be explained to pretty much anybody: http://www.unixwiz.net/techtips/sql-injection.html

Now a-days REST vulnerabilities are all the rage but I guess it is easier to just use known attacks against companies that are incompetent and sit on their patents.

Re:Unforgivable (1)

davydagger (2566757) | about a year and a half ago | (#41987585)

MD5, what is this 1993?

I am sick of hearing how large companies somehow automaticly make good decisions on technology.

MD5 is long broken and should have been discontinuted 10 years ago.

Re:Unforgivable (1)

Bengie (1121981) | about a year and a half ago | (#41987627)

SQL injection "exploits" shouldn't be considered "hacking". It's more akin to someone leaving the door to the bank open than someone having to do any serious work.

Re:Unforgivable (0)

Anonymous Coward | about a year and a half ago | (#41987943)

The correct name is "Code Kiddie" aka "Script Kiddie".

Re:Unforgivable (1)

AK Marc (707885) | about a year and a half ago | (#41988183)

Nah, the bank analogy is if they honored all withdrawal requests, and processed them overnight. If you walk up with a withdrawal for $1,000,000,000 in the name of Bobby Tables, they give you the cash and don't find out until the next day that they do not now, nor have ever had a Bobby Tables with an account there, and the account number 1234 is not in their system either.

Re:Unforgivable (4, Funny)

a_hanso (1891616) | about a year and a half ago | (#41989351)

Actually, a bank analogy is more like you walking up to the bank manager and saying "Hi, I have a complaint about a $100 discrepancy in my WRITE DOWN YOUR BANK VAULT COMBINATION." and the manager hypnotically doing just that.

Re:Unforgivable (1)

helix2301 (1105613) | about a year and a half ago | (#41990615)

SQL injection is a common type of hack. The MD5 piece is a bit crazy its only 128 bit encryption. I have no idea why they would even do that. MD5 hashes are also used to ensure the data integrity of files hash is NOT encryption.

Re:Unforgivable (1)

geekoid (135745) | about a year and a half ago | (#41993333)

Yes, it is a common attack, and it's still an unforgivable error on the developer side. They should be fired and move into a field they are more qualified for. I'm thinking something in the service industry.

Re:Unforgivable (0)

Anonymous Coward | about a year and a half ago | (#41993217)

sure, thats probably the last time the server was patched. Big heads and ego's working in IT theses days but very little work getting done. I first started in IT back in 1990. Now so called engineers just talk a lot but do little.

impervia make WAF... (2)

johnjones (14274) | about a year and a half ago | (#41987037)

although they did a good job verifying the DB I have to wonder why the hacker mentioned this...

HAAAAAX! Whaaaaa (-1)

Anonymous Coward | about a year and a half ago | (#41987043)

Lol STFU noobs, nobody is hacking!

Poor security standards (3, Insightful)

NetNinja (469346) | about a year and a half ago | (#41987197)

Poor network security standards.

A simple Web Application Firewall would have prevented that.

If they can't do something as simple as secure thier own website, thier products are even worse.

Re:Poor security standards (3, Insightful)

El_Oscuro (1022477) | about a year and a half ago | (#41987315)

I'm not sure how a firewall would prevent SQL injection, as the attack pass through the normal HTTP/HTTPS traffic and their own crappy web application is the attack vector. Then again, setting up any firewall is far more complex than the few lines of code or bind variables need to stop SQL injection attacks.

Re:Poor security standards (4, Informative)

ark1 (873448) | about a year and a half ago | (#41987617)

A Web Application Firewall will inspect layer 7 traffic and can provide some protection against layer 7 attacks such as SQL injections. They act more like Intrusion Detection/Prevention Systems rather than traditional network firewalls.

Re:Poor security standards (5, Insightful)

El_Oscuro (1022477) | about a year and a half ago | (#41988079)

That is cool. It is nice that you can configure firewalls to protect against layer 7 attacks. It is a great part of defence in depth. If I set up the firewalls I would do this. Of course I don't, and the bureaucracy makes the Vogons look nimble. They would feed their own grandmother to the Ravenous Bugblater Beast of Traal rather than change the rules. And of course, some other "developer" with some clout would get an exception so his craptastic application still works.

I love the idea of a Firewall protecting my app, but would rather write the 2 lines of code to ensure my app doesn't get pwned if it doesn't for whatever reason.

Re:Poor security standards (2)

ark1 (873448) | about a year and a half ago | (#41988525)

Like you said it should be part of a defence in depth strategy. Good secure coding practices are fundamental and a must but you can't rely on that alone. Deadlines get tight, people/QA get sloppy. Also sometimes you have no choice but to rely on 3rd party applications and who knows how these were developed (what is powering forums at connectusers.com? Site is offline at this time).

Even with a layered approach, bypassing any security mechanism is still possible but you should keep at least the less skilled attackers out.

Re:Poor security standards (1)

fourchannel (946359) | about a year and a half ago | (#41997571)

I think they should just wire C4 into the servers, and inspect the traffic. If an SQL injection is in the stream, detonate C4 charges.

Simple.

: D

Re:Poor security standards (1)

Charliemopps (1157495) | about a year and a half ago | (#41988081)

Ya, it'd be easier to just do it right, but I imagine you could setup a firewall to... I dunno... not allow an entire database of several hundred meg to be dumped to a single request.

How the heck would he know?!? (3, Interesting)

Kergan (780543) | about a year and a half ago | (#41987245)

Tal Beery, a security researcher at Imperva, analyzed the data dump in the Connectusers Pastebin post and found that the list appears to be valid and that the hacked database was relatively old.

Color me puzzled... How the heck does Mr Beery have the slightest damn clue that the list appears to be valid and that -- even more incredibly -- the database was relatively old? He's hacking it every day?

Re:How the heck would he know?!? (0)

Anonymous Coward | about a year and a half ago | (#41987365)

Age can be determined by the domain names of the emails. Too many hotmail.coms and aol.coms leads him to believe it's an old database. It must be valid, most of the emails are photog@ or psuser@.

Re:How the heck would he know?!? (0)

Anonymous Coward | about a year and a half ago | (#41987395)

Most enterprise databases store timestamps on absolutely everything, so he probably just looked at the last value.

Re:How the heck would he know?!? (2)

CrispBH (822439) | about a year and a half ago | (#41987455)

I'd assume there's a timestamp column or two for things like last login etc. That would reveal how used the application that uses the database is. Imperva sell WAFs though... and the hacker is focusing on the lack of a WAF? That seems a bit odd to me, but I could be reading too much into it. In any case, it's no bad thing to have a WAF as an extra layer of security, but you should still be immune to such attacks even without one. It should be a nice to have, not a silver bullet (which it never will be) against all attacks. Prepared statements and so on should be mandatory for anyone wishing to call themselves a developer.

just another crappy day in paradise? (1)

k6mfw (1182893) | about a year and a half ago | (#41987359)

I keep reading headlines one right after another about security hacks. And I feel like I'm getting warning fatigue*, I cannot comprehend how you IT security people are dealing with it. For me I got some computers that ***never*** connect to internet, and damned if I put critical stuff in The Cloud.

*Warning fatigue: Described in the book, "Breaking The Mishap Chain" http://www.nasa.gov/connect/ebooks/break_mishap_chain_detail.html [nasa.gov] where authors describe when crews of a B1 flight test kept getting caution warnings that were not urgent so habitually ignored even though one of those warnings was center-of-gravity parameter. Ignoring this warning was serious as it caused aircraft to go out of control when wings were swept and aircraft not balanced.

Re:just another crappy day in paradise? (1)

davewoods (2450314) | about a year and a half ago | (#41991591)

Hmmm... I never thought of anything like warning fatigue. It has definitely happened to me though:

I was a System Admin for a ~50 user company, I had notification alerts on the three servers that would show me anything that appeared in event viewer that was anything higher than "Warning". I got so used to seeing so many random warnings that had no relevance (i.e. Print Spooler service being unable to start, not an issue until I need to print, not worth the time it would take to fix) I eventually pretty much stopped paying attention to the warnings entirely. Luckily, the one day I actually glanced at them was the same day one of the HDDs in the NAS got a predictive SMART error. I was incredibly fortunate, and was able to get a spare ordered and replaced before any real damage was done.

I bet the B1 situation was significantly more dangerous than my HDD thing, but you know.

What's a WAF? (2)

Zaiff Urgulbunger (591514) | about a year and a half ago | (#41987433)

What's a WAF? I found Wife Acceptance Factor [wikipedia.org] but it seems doubtful this is the correct answer given the context!

Re:What's a WAF? (0)

Anonymous Coward | about a year and a half ago | (#41987551)

Really? Couldn't be bothered to spend 30 seconds looking WAF up? Gimme a break: http://bit.ly/SNBaxt *sigh* modern slashdot...

Re:What's a WAF? (2, Insightful)

Anonymous Coward | about a year and a half ago | (#41987735)

To be fair, googling the term isn't very helpful here.

Result #1 is a google code project for git.
#2 is wikipedia's wife acceptance factor quoted by GP
#3 is the wikipedia article covering #1
#4 is acronyms.dictionary showing: WAF, Women in the Air Force (USAF; obsolete). WAF, Warendorf. WAF, WAF, We Are Family ...
#5 is urban dictionary showing "Wack As Fuck"
#6 is a website for World Architecture Festival
#7 is WPF Application Framework, "The WPF Application Framework (WAF) is a lightweight Framework that helps you to create well structured WPF Applications"
#8 is a sub-page of #1 containing documentation

#9, the last result on the search, is finally "Web Application Firewall (WAF) - Real time protection from Web ..." from http://www.imperva.com/products/wsc_web-application-firewall.html [imperva.com]

Your snarky "let me google that for you" provides eight incorrect answers to his question!
If you don't even know the answer and can't be bothered to even pretend to, perhaps you should stop complaining about others who actually put in effort to remove part of their ignorance.

Re:What's a WAF? (0)

Anonymous Coward | about a year and a half ago | (#41987847)

I Googled "WAF" and got meaningless results, so I Googled "WAF Security" and found out the term.

I think if anything, it's the fault of the editors for not including a definition.

Re:What's a WAF? (0)

Anonymous Coward | about a year and a half ago | (#41987695)

Web Application Firewall.

See https://www.owasp.org/index.php/Web_Application_Firewall

In Other News... (1)

fred911 (83970) | about a year and a half ago | (#41987449)

Adobe is found guilty of wasting billions of their windows customers CPU processes with their "update me now?" tsr...

Adobe needs to be taken out back... (2)

HerculesMO (693085) | about a year and a half ago | (#41987459)

And shot.

There's really no security team in place at Adobe, is there?

After Adobe is executed (2)

tepples (727027) | about a year and a half ago | (#41987519)

If Adobe and its products were put to death, what would replace Photoshop and Illustrator for print work? What vector animation tool would replace Flash CS?

Re:After Adobe is executed (1)

BitZtream (692029) | about a year and a half ago | (#41989105)

On a Mac, Pixelmator would quickly replace Photoshop. You'd be going back several years ... back to when Photoshop sucked a fuckton less than it does now in reference to ... price, features and most importantly UI, but the injection of cash the Pixelmator team got would allow them to build in all the crud/crap you don't want from Photoshop fairly quickly anyway. Medicine would take a minor hit as Medical Photoshop is a weird beast that basically makes any sane person wonder how medical studies are given any credibility at all.

Don't really need daily hacker updates anymore (4, Funny)

Andy Prough (2730467) | about a year and a half ago | (#41987495)

A simple once-per-year post reminding us that ALL of our private data has been sucked out of insecure online databases and is being sold on the Russian (or Indonesian or Egyptian or Chinese or Pennsylvanian) black-market should suffice.

I'm glad Flash is dying (1)

bigsexyjoe (581721) | about a year and a half ago | (#41987547)

It is pretty scary that many people write their frontends in a technology made by these people. And they think that gives them extra security!

Adobe has crappy security. I've recently had the misfortune of having to work with Flash. I had to send files to the server from the client. Flash had some annoying restriction that you can't send a file to the server unless the user opened a dialog to pick a file. But guess what? It didn't matter because you can still send the files if you use don't use a convenience method. There stupid security measure wasted a half hour of my time. And it does nothing for security because I'm completely new to Flash and I still beat the measure.

Re:I'm glad Flash is dying (0)

Anonymous Coward | about a year and a half ago | (#41988795)

Wrong. The Flash security model does not attempt to require applications to pop a dialog box in order to upload a file to a server. I have absolutely no idea how you got that impression, but it's clearly written in their documentation that there are methods for uploading data without this. The real key is that things like that generally require a user action, such as clicking.

Spending 30 minutes with a technology doesn't qualify you to review it. And Flash isn't dying. Sorry.

That's why I pirate my Adobe software (0)

Anonymous Coward | about a year and a half ago | (#41988327)

Thank goodness I too precautions.

Re:That's why I pirate my Adobe software (1)

BitZtream (692029) | about a year and a half ago | (#41989109)

Owners of Adobe software are probably not at risk nearly as much as all the people who now rent Adobe software for a monthly fee.

Adobe doesn't give a shit about security (2)

JDG1980 (2438906) | about a year and a half ago | (#41989777)

Adobe's level of public irresponsibility is crazy. Every week new vulnerabilities are found in Flash and Reader – more often, and more serious security holes, than in Windows, even though Windows is a whole OS and these programs should be much easier to keep bug-free in comparison. And now we find that they can't even keep their own internal databases safe. Preventing SQL injection really isn't that difficult; there are plenty of websites [bobby-tables.com] that tell you what you need to do. Just using parameterized queries will weed out most of the common SQL exploits. How much of Adobe's programming is being conducted now by people who just don't have any fucking idea what they're doing?

There really needs to be a good alternative to Photoshop (no, GIMP doesn't count). Flash needs to be phased out as quickly as possible, and people need to stop using Adobe Reader if at all possible, and try to move away from any Reader-specific PDF "features". Most people who use the full version of Acrobat are wasting their money (it's amazing how many people have it installed just so they can print to PDF, when there are free programs that do the exact same thing just as well).

Re:Adobe doesn't give a shit about security (1)

SpzToid (869795) | about a year and a half ago | (#41990565)

Agreed. If I was Microsoft, or Apple for that matter, I'd be all over Adobe for ruining The Platform. Linux users are SOL so far as Adobe is involved, but the linux users already knew that.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...