Technology gaint Yahoo! Contributors Network was affected by a serious flow, Time based Blind SQL Injection vulnerability which allows the theft of sensitive data.
Yahoo! Contributors Network (contributor.yahoo.com), the network of writers that allows them to articles, videos and share their knowledge to more than 600 plus million monthly visitors. It also allows contributors to receive assignments from tech gaint related to various domains like Sports and Finance.
A security researcher Behrouz Sadeghipour reported the Blind SQLi Injection vulnerability in Yahoo!’s Contributor Network website (contributor.yahoo.com) that could be exploited by cyber criminals to steal users’ and authors’ database, containing their personal information.
According to the security researcher, Behrouz reported this flaw to tech gaint Yahoo! Security team few months back and the company patched the vulnerability. Unfortunately month later Yahoo! announced to shut down ‘Yahoo Contributors Network’ due to its decreasing popularity and removed all the contents from the web, except some of the “work for hire” content.
As explained by the security researcher the critical vulnerability affect Yahoo! systems and allows attacker to compromise the database. Attacker can inject his own sensitive sql commands to gain access the sensitive and personal information of those writers who was participating and getting paid from their work.
The researcher came across with two URL’S to run the attack against the Yahoo server :
The vulnerability allows remote attackers to inject own SQL commands to breach the database of the above vulnerable URLs and get access to the users’ personal data.
It’s not the first time that security experts discovered a vulnerability in the Yahoo! Contributors Network. In 2012, also it was hacked by a group of hackers called “D33DS Company” and the stolen data was exposed. They published 453,491 email addresses and passwords in a document named “Owned and Exposed” online. Reportedly, at that time hackers used the same technique i.e. SQL Injection attack to carry out the data breach.
Again In September 2014, the Egyptian hacker Ebrahim Hegazy has discovered a similar vulnerability in the Yahoo service that allows a Remote Code Execution and privilege escalation.
Sql Injection & Its Impacts
SQL Injection attacks have been around for over a decade. SQL Injections involves inserting a SQL query into an web application via client-side input.
SQL Injection is considered an effective web attacks technique and security researchers worldwide sustain that the number of SQL injection attacks continues to grow. According to “The SQL Injection Threat Study“ study published in April 2014 by the The Ponemon Institute nearly 65% of organizations suffered successfully from SQL injection attacks in the last twelve months.
SQL Injections are a real threat and are being actively used and exploited by hackers every day. “If you are a developer you should be leveraging the OWASP SQL Injection Prevention Cheat Sheet at a minimum.” Do not underestimate the SQL Injection attacks as they could seriously damage your business.