Print 60 comment(s) - last by BansheeX.. on Jun 7 at 8:01 PM

Another day, another SQL injection exploit

Just when Sony appeared to be getting back on the right track with the full restoration of its PlayStation Network, LulzSec struck again hitting Sony right between the eyes. The group once again used an SQL injection tactic to gain access to the Sony Pictures account database.

This time around, LulzSec manage to obtain:   

  • 1 million user accounts (including passwords, email and home addresses, and data of birth)
  • All admin account details and passwords
  • 75,000 music codes
  • 3.5 million music coupons

In addition, there was even opt-in data that was accessible, which gives even more information about Sony's customers and their preferences.

The part that amazes LulzSec (and us for that matter) is that fact that Sony stored all 1 million user passwords in simple plain text files -- no encryption whatsoever was used. "It's just a matter of taking it," stated LulzSec in a press release. "This is disgraceful and insecure: they were asking for it."

The group went on to express its disdain for Sony and its security practices (or lack thereof): 

Our goal here is not to come across as master hackers, hence what we're about to reveal: was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? 

LulzSec has provided evidence of their latest "Sownage" on its site, which can be accessed here.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By phatboye on 6/2/2011 8:23:42 PM , Rating: 5
What I don't get is why don't they just take down everything with user info on it. Don't put it back up until there is a security review.

By geddarkstorm on 6/3/2011 5:13:20 PM , Rating: 3
Obviously their common sense was hacked and stolen a long time ago.

By wvh on 6/4/2011 1:15:04 PM , Rating: 2
I'm a sys/network admin and used to work as security consultant doing penetration testing. Checking shitloads of crappy code spread over many systems and services takes a long time. We shouldn't doubt the quality of the code that gets Sony hacked over and over again isn't exactly top-shelf. Wading through other people's code – produced by some out-sourcing, uncaring and unrelated company that was pressed for time and eager for the pay check – isn't easy. You need to analyse the architecture, the network, the setup of individual systems and their services and daemons, the code itself including the choice of libraries and frameworks, and all this in different languages on different operating systems written by different (in general mostly incompetent) people.

That's not mentioning it might be easier to get access by hacking the systems yourself than to find out who legitimately can give you access to which systems and networks. It wouldn't be the first time that all employees that worked on the systems have left, the out-sourcing company that built them doesn't exist anymore, and no manager remembers anything about any setup or passwords.

Unplugging and redoing everything isn't exactly a 5 minute job, so I guess Sony – being focussed on making profit – doesn't want to put down all of their services for an indefinite amount of time.

"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki