MySQL.com and Sun hacked through SQL injection

Filed Under: Data loss, Oracle, Vulnerability

MySQL logoProving that no website is ever truly secure, it is being reported that MySQL.com has succumbed to a SQL injection attack. It was first disclosed to the Full Disclosure mailing list early this morning. Hackers have now posted a dump of usernames and password hashes to pastebin.com.

MySQL hashes on Pastebin

Most embarrassingly, the Director of Product Management's WordPress password was set to a four digit number... his ATM PIN perhaps? Several accounts had passwords like "qa". The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site.

Sun SQL disclosureMySQL's parent company Sun/Oracle has also been attacked. Both tables and emails were dumped from their databases, but no passwords.

It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites.

Auditing your websites for SQL injection is an essential practice, as well as using secure passwords.

Either can lead you down a road that ends in tears. If you haven't reviewed your web coding practices, this might be a good time to perform an audit of your public-facing assets to be sure your organization won't become the next headline.

It was noted on Twitter that mysql.com is also subject to an XSS (cross-site scripting) vulnerability that was reported in January 2011 and has not been remedied.

, , , ,

You might like

8 Responses to MySQL.com and Sun hacked through SQL injection

  1. JDMan · 1307 days ago

    Well...that's great! MySQL not secure means we wait for some hacker interested in our site to waltz in? MySQL.com--fix the holes. Please.

  2. JDMan: 4th paragraph from the bottom clearly states "It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites.".

    SQL injection is about not sanitizing input data, it has nothing to do with "holes" in the MySQL software itself.

  3. How embarrassing...

  4. GarryKE · 1307 days ago

    MySQL's flaws are its two-layer architecture; this is what causes the SQL injection and its vulnerabilities.
    MySQL is fast, granted. However, if this continues I'll be moving to something more secure.

  5. Tayster · 1307 days ago

    Little Bobby Tables strikes again-
    http://xkcd.com/327/

  6. jbw · 1307 days ago

    There are still web developers out there who don't understand SQL injection? Scripting injection attacks were covered in the beginner's programming classes I remember twenty years ago. You don't need SQL or the Web to understand the theory of input validation in software. Only an unskilled developer would make such a rookie mistake.

    I have seen companies with a lot of money to spare hire only the smallest teams of the least skilled developers for their websites because they are cheap to a fault and have no appreciation for the actual skill involved.

    The one time in my life I ran into SQL injection troubles was when I used an off-the-shelf component that contained them. Definitely something to consider when you start using third party software.

  7. Dave · 1306 days ago

    As http://xssed.com/search?key=mysql says, a bunch of old bugs seems to be getting fixed.
    The old ones embarassed me much more than the new hack ...

  8. wrangler · 1305 days ago

    So my question is, was it the open source guys or the Oracle guys who had the crappy passwords?

    =;^)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.