Web security news and the “Hack of the Year”



Long time since my last post but I was a bit busy on customer on-site testing. Nice days of application testing but now is time to write here again.I read long ago a fantastic book about security named “The Art Of Intrusion” wrote by the (in)famous Kevin Mitnick. He told amazing histories about security and intrusions without giving too much technical details about them but the enough to understand the attack and catch the idea behind the security problem the system had. News about security are (sometimes) the same. I said “sometimes” because reporters who wrote about security doesn’t really use to know anything about security, but this is something to another post…Today I want to introduce you two websites about web security / cracking. The first one is a website that intends to collect all these web security incidents around the world. It’s called The Web Hacking Incident Database and offers reports of the hacked websites around the world, including, in most of the cases, some technical information. It’s worth a lecture to understand how important is the web security nowadays.The other one is really a clone of the famous milw0rm website (I’m not going to link it because is currently abandoned) called Inj3ctor.They published a few days ago a paper claiming that they had hacked Facebook. Wooohhh… really? Let’s go check the report:

  • They start doing a port scan of facebook.com
  • After that they do some simple Google search queries trying to identify some PHP errors because is well know that Facebook is developed in this language.
  • A quick look into the robots.txt file can focus us into specific (and usually privates) web pages.
  • After these tests against facebook.com they move to apps.facebook.com and detect some vulnerabilities in third parties applications. These applications are not developed by Facebook and are not hosted in the Facebook servers.

They got a lot of information from MySQL databases using simple SQL Injections and claim that the information they obtained is from Facebook. Ok, sometimes people get really excited too soon. In this case the called it: “Hack of the year!”.If you are going to call something the “Hack of the year” be sure it is… Because:

  1. Facebook doesn’t use MySQL, they use Cassandra.
  2. The path showed in the PHP errors points clearly to another server (http://tomkincaid.dreamhosters.com/)
  3. WordPress? I’m pretty sure that is not any WordPress installation running in the Facebook servers.
  4. Don’t say your exploit is the “Hack of the year”, wait until the community say it: http://pwnie-awards.org/

That’s all for now, more other day with an exciting project I want to release in any point next week