Through an SQL injection weakness

Sep 22, 2009 10:00 GMT  ·  By

A hacker has disclosed an SQL injection vulnerability in the website of the Internet Archive project, which exposed sensitive information about registered members. The leaked data included personal details such as the e-mail address, names, home address, zip, city and state.

The vulnerability was discovered and reported by a prominent Romanian hacker going by the online handle of Unu. A self-proclaimed grey hat hacker, Unu is in the habit of searching and disclosing mainly SQL injection weaknesses in high-profile websites. Some of his recent reports involved websites belonging to the likes of Yahoo, the UK Parliament, ING Belgium, Dexia, HSBC France or WorldPay.

SQL injections are attacks that target a specific type of programming errors in Web applications in order to execute SQL queries into a website's underlying database. These vulnerabilities are the result of the failure to sanitize parameters passed to a script and can be exploited by simply manipulating the URL.

The Internet Archive is a project to build a digital library of digital content and the World Wide Web. The Web archive, called the Wayback Machine, stores periodical snapshots of web pages dating back to 1996, which can be browsed and viewed. Over 150 billion archived web pages are currently available through the Wayback Machine.

According to Unu's findings, the Internet Archive content is spread over 2,770 servers. The website allows users to register and obtain their own "virtual library cards." These accounts allow people to bookmark archives, write reviews, post in the forums, upload media, request researcher access and access other features.

At the moment of writing the article, the website had 802,261 registered users, including yours truly, and all of their account data was accessible through the SQL injection vulnerability. The data includes the screen name, e-mail address, hashed password and registration date and, for some members, their full, personal info is also available.

Judging from the screenshots published by Unu, the flaw was located in the Frequently Asked Questions (FAQ) section of the Internet Archive website. However, the Romanian hacker points out that he reported it to the webmaster and that it has been fixed.