SQL Injection Vulnerability in Yahoo!

Yahoo! Contributors Network SQL Injection Vulnerability
Yahoo! Contributors Network (contributor.yahoo.com), the network of authors that generated the contents such as photographs, videos, articles and their knowledge to more than 600 million monthly visitors, was vulnerable to a Time based Blind SQL Injection vulnerability.
Behrouz Sadeghipour, a security researcher reported the Blind SQLi vulnerability in Yahoo!’s website that could be exploited by hackers to steal users’ and authors’ database, containing their personal information.
Behrouz reported this flaw to Yahoo! Security team few months back. The team responded positively and within a month they patched the vulnerability successfully. Unfortunately after that Yahoo! announced to shut down ‘Yahoo Contributors Network’ due to its decreasing popularity and removed all the contents from the web, except some of the “work for hire” content may remain on the web.
The critical vulnerability was able to expose the database which carried sensitive and personal information of those authors who was participating and getting paid from their work. While looking around the website, the researcher came across two vulnerabilities in the following URL/files:
The vulnerability allows remote attackers to inject own SQL commands to breach the database of the above vulnerable URLs and get access to the users’ personal data.
In 2012, Yahoo! Contributors Network was hacked by a group of hackers called “D33DS Company” and “Owned and Exposed” data breach exposed stolen 453,491 email addresses and passwords online. Reportedly, at that time hackers used the same technique i.e. SQL Injection attack to carry out the data breach.
SQL Injection (SQLi) attacks have been around for over a decade. It involves inserting a malformed SQL query into an application via client-side input. SQLi vulnerabilities are ranked as Critical one because if it is used by Hackers, it will cause a database breach which will lead to confidential information leakage.
In fact, according to Veracode’s 2014 State of Security Software Report , SQL injection vulnerabilities still plague 32% of all web applications.

We are currently seeing more than 50,000 attacks per day that fall into our SQL Injection categorization. Most of them are automated and try to compromise well known vulnerabilities in common CMS’s and web projects (Joomla, WordPress, vBulletin, etc),” the security researcher, David Dede, of the security firm Sucuri wrote in a blog post.

The analysis carried out by the security firms shows that the number of SQL injection attempts continue to grow as the time passes on.

If we drill down into our data and hook it up to a geo locator we can also see that the attacks come from everywhere. Most people tend to think that Russia, Brazil, Romania and a few other countries are the “bad” sources, but for SQL injection, the top attackers come from the USA, India, Indonesia and China,” the researcher added.

SQL Injections are a real threat and are being actively attacked and exploited by hackers every day. “If you are a developer you should be leveraging the OWASP SQL Injection Prevention Cheat Sheet at a minimum.




CREDIT:  thehackernews

Shellshock Attack Hits Yahoo!

Shellshock threats continue to escalate, with Yahoo reportedly falling victim to an exploit that targeted related flaws in its infrastructure to give attackers a foothold on its servers.

Since the first public warnings were sounded Sept. 24 over remotely exploitable “Shellshock” flaws in the Bash command-line interface – used in many flavors of the Unix operating system – security experts have continued to see an increase in related attacks (see Bash Bug: Bigger Than Heartbleed). But the Yahoo breach shows that the Bash flaws are already claiming some high-profile victims.


Breach Report: Yahoo, Lycos, WinZip

The Yahoo compromise was disclosed by security researcher Jonathan Hall, president of security consulting firm Future South Technologies, who claims that attackers – apparently based in Romania – have been attempting to use the Yahoo servers they compromised as a stepping stone for hacking into Yahoo’s gaming servers, which are used by millions of people per day. Hall reports in a blog post that the same attackers have also compromised servers run by Lycos, as well as a payment gateway run by compression software vendor WinZip.

Hall says he notified all three companies about the flaws on Oct. 5, then chose to name them publicly after they failed to immediately acknowledge and patch the flaws. Hall says he’s withheld precise details relating to the attacks, including server names, to dissuade copycat attackers.

Neither Lycos nor WinZip immediately responded to a request for comment on Hall’s report. A Yahoo spokeswoman, who declined to respond directly to Hall’s breach report, says that the company has been patching its systems against Shellshock since Sept. 24, as well as monitoring its infrastructure for related attacks. “Last night [Oct. 5], we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data,” she says. “We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.”

‘Huge Number of Attacks’

Of course, many more businesses may have already been compromised by hackers who exploit Shellshock flaws. “Those on the receiving end of breaches often remain tight-lipped,” software architect Troy Hunt tells Information Security Media Group. “What we do know is that there have been a huge number of attacks,” he says. Some of those have been documented by CloudFlare, FireEye and the SANS Institute. But many attacks have yet to be cataloged, revealed by victims, or analyzed by security experts.

To date, six different Bash flaws – collectively referred to as Shellshock – have been discovered. Already, attackers have been using them to launch distributed-denial-of-service attacks, and to target vulnerable systems that are connected to IRC [Internet Relay Chat application layer protocol], by using automated bots that push links to related exploits. Other attackers have been targeting the flaw on some network-attached storage devices to dump all data they’re storing. Some researchers have also published a proof-of-concept attack showing how Shellshock could be exploited to take control of instances of the open source OpenVPN software.

The Types of Attacks

Based on information from a number of sources, security researchers have seen about 11 different types of attacks that target Shellshock flaws:

Illegitimate vulnerability probes: These are unauthorized scans that probe servers for the presence of Shellshock flaws. “It is possible that the attacker may follow up with a ‘real’ attack if the check turns out to be positive,” Johannes Ullrich, chief research officer at the SANS Institute, tells Information Security Media Group. Security researchers – as well as attackers – have apparently been responsible for these types of probes.

Grabbing system parameters: Ullrich says some attacks use the HTTP “User-Agent” to obtain system parameters. “This goes beyond checking if a system is vulnerable,” he says, and “actually exfiltrates configuration information,” which attackers could then use to create more customized exploits.

Legitimate vulnerability probes: These authorized scans – for example by security providers – attempt to identify Internet-connected systems with Shellshock flaws.

Grabbing system parameters: Ullrich says some attacks use the HTTP “User-Agent” to obtain system parameters. “This goes beyond checking if a system is vulnerable,” he says, and “actually exfiltrates configuration information,” which attackers could then use to create more customized exploits.

Legitimate vulnerability probes: These authorized scans – for example by security providers – attempt to identify Internet-connected systems with Shellshock flaws.

Cloud-based Shellshock scanners: These cloud-based services scan sites for the presence of Shellshock vulnerabilities.

Reverse/remote shell installation: Some payloads attempt to “install [a] perl reverse shell,” Ullrich says, which would give attackers remote shell access to the system. In the case of the Yahoo server compromises, Hall says he watched an attacker – via IRC – finding vulnerable Yahoo.com servers and then “forcing them to download a perl script that invoked a remote shell.” Each successful remote-shell installation was then logged back to the attackers’ IRC channel, which Hall was monitoring.

NAS attack: Threat intelligence firm FireEye reports that several attacks have exploited Bash flaws to obtain data being stored on network-attached storage devices located in Japan, South Korea and the United States. FireEye has published related indicators of compromise.

Remote patchers: Some white-hat hackers have been scanning for Shellshock-vulnerable sites, then attempting to “to remotely patch vulnerable systems by updating their Bash version,” according to research published by Akamai security researchers.

Red team alerts: This simple exploit involves attackers exploiting Shellshock as a public service announcement and leaving an alert for system administrators that the server has exploitable Shellshock vulnerabilities, Akamai says.

File content dumper: This type of attack attempts to “dump” databases and steal sensitive information, including passwords.

Bitcoin targeting: Akamai says it’s seen some attackers using Shellshock flaws to push malware to vulnerable systems. This attack code scans for the presence of bitcoins, then relays those bitcoins to attackers.

Funny business: These attacks include exploits aimed at opening CD trays, playing joke audio messages as well as “script-kiddie copy/paste payloads that don’t make sense,” Akamai says.

Akamai says it’s seen Shellshock-targeting attacks coming from more than 13,000 different IP addresses per day, and has counted more than 20,000 unique payloads being used per day. Half of all Shellshock-related attacks or attempted exploits it’s seen involve illegitimate probes, followed by legitimate probing (29 percent), IRC bots (10 percent) and “funny stuff” (8 percent). The vast majority of all probes and exploits were directed at online gaming sites.

Patch Web Servers First

When it comes to mitigating Shellshock, organizations should focus on Web servers first, says the SANS Institute’s Ullrich. “The problem that a lot of companies have with this vulnerability is you have so many systems that are vulnerable – every Unix system you own is probably vulnerable in some way. But that doesn’t mean it’s exploitable.”

One good piece of Shellshock news, meanwhile, is that the flaws don’t appear to affect Windows users, despite a recent report from security researchers in Belgium suggesting that Windows is susceptible to a command-injection vulnerability that affects command-shell scripts. “We looked at this,” Ullrich says of the report, as well as the possibility that Shellshock-like flaws might be present in Windows. “I don’t see a realistic exploit vector for this flaw as of right now. Also, the use of shell scripts in Windows web apps is hardly ever seen.”




CREDIT:  bankinfosecurity



Romanian Hackers Used The Shellshock Bug To Hack Yahoo’s Servers

marissa mayer

Security researcher Jonathan Hall says he has found evidence that Romanian hackers used the Shellshock bug to gain access to Yahoo servers, according to a post on his website Future South.

The Shellshock bug can be used by hackers to control servers using a vulnerability in Linux and Unix. The problem has existed for over 20 years, but it was only discovered in September. If a hacker gains access to a server using the Shellshock bug, they could see everything that is stored there.

Hall, a technology consultant and Unix expert, outlined in his post the process he used to track down the hacked Yahoo servers. Hall used a Google search to find servers that had been left vulnerable to Shellshock. He discovered that the WinZip.com domain was being used by hackers to track down other servers that could be vulnerable to the bug.

Hall went on to find that Romanian hackers had gained access to Yahoo’s servers, and were gradually exploring the network in search of the popular Yahoo! Games servers. Yahoo’s games are played by millions of people, making them a target for hackers looking to wreak havoc. Through his research, Hall discovered that two of Yahoo’s servers had been breached by hackers, and that more could have already been accessed.

In an email to Bloomerg Businesseek, Yahoo confirmed that three of its servers had been hacked using the Shellshock vulnerability. Company spokesperson Elisa Shyu said, “As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data.”

Yahoo’s servers were vulnerable to attack because they were using an old version of server technology Bash. Hall emailed and tweeted Marissa Mayer, as well as a member of Yahoo’s engineering team. Eventually he received a response from Yahoo that confirmed its servers had been breached and that it was working through its incident response process. Hall claims that Yahoo refused to pay him for the discovery because it claims that it is not part of the company’s bug bounty program.

Yahoo has come under fire in the past for its response to security researchers who uncover bugs in its servers. In 2013 the CEO of a security firm was awarded a $25 voucher for Yahoo-branded items after he uncovered three bugs in Yahoo’s online services.

CREDIT:  businessinsider

WARNING::Yahoo Mail hacked – Change your account password

A really bad year for the world’s second-largest email service provider, Yahoo Mail! The company announced today, ‘we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts‘, user names and passwords of its email customers have been stolen and are used to access multiple accounts.

Yahoo Mail hacked

Yahoo did not say how many accounts have been affected, and neither they are sure about the source of the leaked users’ credentials. It appears to have come from a third party database being compromised, and not an infiltration of Yahoo’s own servers.

We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

For now, Yahoo is taking proactive actions to protect their affected users, “We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
People frequently use the same passwords on multiple accounts, so possibly hackers are brute-forcing Yahoo accounts with the user credentials stolen from other data breaches.

Yahoo users can prevent account hijacks by using a strong and unique password. You can use ‘Random strong password generator’ feature of DuckDuckGo search engine to get a unique & strong password.

Users are also recommended to enable two-factor authentication, which requires a code texted to the legitimate user’s mobile phone whenever a login attempt is made from a new computer.
Yahoo! was hacked in July 2012, with attackers stealing 450,000 email addresses and passwords from a Yahoo! contributor network.

Well, Yahoo is now working with federal law enforcement as a part of its investigation.


Email hacking for hire going mainstream

By Dancho Danchev – blog.webroot.com

Just as we anticipated on two occasions in 2012, managed email hacking for hire services continue popping-up at publicly accessible cybercrime-friendly communities, a trend that’s largely driven by the demand for such services by unethical competition, “friends”, or current/ex-spouses.

Often pitched as “forgotten password recovery” services, they rely on social engineering, brute-forcing, and spear phishing campaigns, often leading to a successful compromise of a targeted account. Based on the number of positive vouches, the services continue receiving a steady stream off satisfied and verified customers.

In this post, I’ll profile one of the most recently advertised email hacking for hire services, specializing in hacking GMail and Yahoo! accounts, as well as email accounts using popular free Russian email service providers. How much does it cost to hack a Gmail or Yahoo! account? What about corporate email?

Let’s find out.

Sample screenshot of the email hacking for hire service:


The service is also features a catchy video that pitches it’s core features to prospective buyers. What about the prices?

Sample pricing scheme of the email hacking for hire service, offering discounts if customers refer it to friends:


The prices are as follows:

  • Mail.ru,Bk.ru, Inbox.ru, List.ru – 3000 rubles ($100)
  • Yander, Rambler – 4000 rubles ($150)
  • Gmail, Googlemail – 7000 rubles ($230)
  • Yahoo! Mail – 10,000 rubles ($350)

The main problem about these services is that they often produce the promised results thanks to the victim-tailored spear phishing attempt. In comparison, it will be cost-ineffective for them to outsource the CAPTCHA-solving process when brute-forcing for popular passwords, a practice we believe is a thing from the past.

Today’s QA (Quality Assurance) minded cybercriminals tend to do their best to automatically and efficiently personalize their campaigns in an attempt to increase the probability of a successful malware infection/phishing lead. And while they sometimes manage to prepare a convincing email referencing you by username, perhaps even your full name — which they often obtain through harvesting for contacts on the PC of an infected friend of yours — this is where it all ends, at least for massive spamvertised campaigns.

This leads us to a situation where your “friends”, unethical competitors, suspicious/paranoid current/ex spouse will supply the service with crucial details about your personality ( from a social engineering perspective), details that will increase the probability of a successful account compromise. The worst part is that the data obtained from first-hand sources, such as people who know you, is indispensable compared to similar data which could be gathered by data mining social networks in an attempt to tailor a spear phishing campaign that’s exclusively targeting you.

Email users are advised to be extra cautions when receiving emails that suspiciously “know too much” about them, especially emails sent to them from impersonated parties who might have interest in compromising them, and to use two-factor authentication where applicable.