backtop


Print 60 comment(s) - last by BansheeX.. on Jun 7 at 8:01 PM

Another day, another SQL injection exploit

Just when Sony appeared to be getting back on the right track with the full restoration of its PlayStation Network, LulzSec struck again hitting Sony right between the eyes. The group once again used an SQL injection tactic to gain access to the Sony Pictures account database.

This time around, LulzSec manage to obtain:   

  • 1 million user accounts (including passwords, email and home addresses, and data of birth)
  • All admin account details and passwords
  • 75,000 music codes
  • 3.5 million music coupons

In addition, there was even opt-in data that was accessible, which gives even more information about Sony's customers and their preferences.

The part that amazes LulzSec (and us for that matter) is that fact that Sony stored all 1 million user passwords in simple plain text files -- no encryption whatsoever was used. "It's just a matter of taking it," stated LulzSec in a press release. "This is disgraceful and insecure: they were asking for it."

The group went on to express its disdain for Sony and its security practices (or lack thereof): 

Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? 

LulzSec has provided evidence of their latest "Sownage" on its site, which can be accessed here.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Checks and Balances
By Autisticgramma on 6/3/2011 1:25:15 PM , Rating: 2
These are growing pains. $ony, is in it for profit, and only profit. Security is secondary to profit.

The Law (as in whats illegal) is behind. This is why America needs a consumer protection agency. Then we could go to $ony and ask what their security practices are, and order then to shape up or find another market. Allowing yourself to be hacked this easy should be illegal. It's akin to me leaving a loaded gun next to a 7 year old's birthday cake, then complaining that not only do I have to clean the gun but all my ammo is gone. The other kids at the party, are just an after thought.

Locks only stop honest men - but that doesn't mean you don't have one on your front door. $ony's house obviously has no windows or doors - let alone locks. Even the police will tell you if your door is open there is no expectation of privacy.

If no one demonstrates this openly, would they have even known. Say $ony did figure it out, would $ony even have told us? Certainly not the third time.




"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki