14 DAY TRIAL // TeamHav0k, the grey hat hacker collective that previously uncovered a lot of vulnerabilities in some high-profile sites, returns. They provided proof to show that ancestry.com, a site that allows users to trace their family roots, contains some dangerous security holes.
“We're back baby, and for our first hack back, we will be providing you with the DB of ‘Ancestry.com’ the site that allows you to trace your family roots. A site like this should be more protected considing the kind of information they have on people,” the hackers write.
“Just imagine if NATO, UN, FBI, CIA etc. officials use this site to look back in time to see who all is in their family tree... DoX made easier then [expletive]. This release is not meant to harm anyone its simply just to prove 'Security Is An Illusion'.”
TeamHav0k published a small proof of concept that shows the existence of the vulnerability, along with some database tables to demonstrate that the cross-site scripting (XSS) and the SQL Injection issues they uncovered can be exploited by hackers who don’t have the most honorable intentions.
“Although we are known for XSS's, we will exploit other vulnerabilities if we find them. People need to understand the seriousness of small little coding errors that lead to this sort of thing, they need to remember to PATCH THEIR SYSTEMS the second a new updated version comes out to protect their assets and clients,” they explain.
It’s uncertain at this time if Ancestory.com's webmasters have been directly notified by the group regarding these vulnerabilities. In any case, now that the PoC has been made public, hopefully the company will rush to patch up the flaws to ensure the safety of their customers.
Sources from within the group told us that they planned on continuing to reveal the existence of security holes in high-profile websites, just as they’ve done so far.
Updated. Ancestry.com representatives contacted us to clarify the incident.
They state that the vulnerability reported by TeamHav0k is on the company's Corporate website, which is a separate website housed by a third party vendor and is not connected to any Ancestry.com customer financial or personal tree information.