Sophisticated SQL injection technique used

Jan 25, 2010 15:51 GMT  ·  By

The website of the Center for Aerosol Research at NASA's Goddard Space Flight Center has been taken offline after a grey hat hacker demoed an attack on its database. The SQL injection exploitation had to be performed manually and was unusually hard to pull off, according to the attacker.

"I want to say that it was very hard to make this injection… The webserver had good protection but wasn’t fully secured," TinKode, a Romanian self-confessed grey hat hacker, writes on his blog. "This kind only works manually , you can’t do it with apps," he stresses.

The aerocenter.gsfc.nasa.gov is actually the third website associated with NASA's Goddard Space Flight Center (GSFC) that TinKode has hacked in recent months, suggesting a more serious Web development issue on this domain. At the beginning of December we reported that websites belonging to GSFC's Instrument Systems and Technology Division, istd.gsfc.nasa.gov, as well as the Software Engineering Division, sed.gsfc.nasa.gov were compromised in a similar fashion.

According to an official description available on the compromised website, before it was taken down, the "AeroCenter is an interdisciplinary union of researchers at NASA Goddard and other organizations in the Washington DC metropolitan area (including NOAA, University of Maryland, and other insititutions) who are interested in many facets of atmospheric aerosols." From the partially obfuscated screenshots published by the security enthusiast, it appears the database contains private information about site members, such as full name, e-mail, phone, affiliation or focus group.

TinKode has also revealed details about seven administrative accounts, including those of Lorraine A. Remer, NASA official responsible for the AeroCenter program, Richard Kleidman, curator and Paul D. Przyborski, the Webmaster. As the grey hat hacker indicates, only password "hashes" are stored in the database, which is much better than storing them in plain text. Unfortunately, these hashes can be easily cracked, because they were generated with MD5, an insecure algorithm.