Print 60 comment(s) - last by BansheeX.. on Jun 7 at 8:01 PM

Another day, another SQL injection exploit

Just when Sony appeared to be getting back on the right track with the full restoration of its PlayStation Network, LulzSec struck again hitting Sony right between the eyes. The group once again used an SQL injection tactic to gain access to the Sony Pictures account database.

This time around, LulzSec manage to obtain:   

  • 1 million user accounts (including passwords, email and home addresses, and data of birth)
  • All admin account details and passwords
  • 75,000 music codes
  • 3.5 million music coupons

In addition, there was even opt-in data that was accessible, which gives even more information about Sony's customers and their preferences.

The part that amazes LulzSec (and us for that matter) is that fact that Sony stored all 1 million user passwords in simple plain text files -- no encryption whatsoever was used. "It's just a matter of taking it," stated LulzSec in a press release. "This is disgraceful and insecure: they were asking for it."

The group went on to express its disdain for Sony and its security practices (or lack thereof): 

Our goal here is not to come across as master hackers, hence what we're about to reveal: was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? 

LulzSec has provided evidence of their latest "Sownage" on its site, which can be accessed here.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Get off the internet!
By omnicronx on 6/3/2011 1:22:05 AM , Rating: 2
Sony can't fix all of their SQL injection vulnerabilities overnight, but given that they're the hackers' whipping boy they should take down all of the sites that have the vulnerability BEFORE they get hacked! But it'd cost them money so they'd rather leave our data at risk. And SQL injection attacks? Seriously? That's the FIRST thing you learn to protect against! And it's EASY!
You are making it out to be some generic vulnerability, but it only takes one line of poorly written sql and most likely had nothing to do with the previous injection attacks.

I would be very interested in knowing where the actual attack occured. If it was something as simple as a logon form, Sony should be ashamed, third party services or not..

RE: Get off the internet!
By BugblatterIII on 6/3/2011 4:04:03 AM , Rating: 2
I manage a team of 7 developers that have written a number of commercial websites. There's not a single line of code that selects directly from a table (or inserts, deletes, updates).

All data access is done through stored procedures, and it's the middle-tier that calls them, the websites call the middle-tier through a web service so the websites have NO direct database access. The middle-tier has NO table-level access; it's only able to call the specific stored procedures it needs. Don't give the middle-tier select permissions and the devs have no choice but to do it properly.

All stored procedures are called using parameterised through using ADO.NET, which therefore protects us from SQL injection attacks.

None of this is at all difficult and prevents that one line of poorly-ritten SQL.

We don't even hold credit card details on our servers (and Sony didn't need to either), but we still take these basic steps to protect our data (oh, and we have firewalls!).

It's shameful that Sony doesn't do the same. My data was amongst that stolen.

"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki