14 DAY TRIAL // The "Let's Hack Sony marathon" continues as hackers announced a new compromise of one of the company's websites and disclosed exploitable vulnerabilities affecting another.
Hacking outfit LulzSec, which recently targeted FOX and stole the personal details of 250,000 X Factor USA auditionees, hacked into the Sony Music Online's Japanese website and leaked the database structure.
"Hey guys, we took a cruise! Who wants to play spot the SonyMusic SQLi? #fun #fun #FUN," the group wrote on Twitter shortly before posting "LOL @Sony, nice Japanese website dumbasses: http://pastebin.com/NyEFLbyX"
The pastebin link does not lead to a full database dump, but to a listing of the tables and columns that can be found inside it.
Instead of extracting and publishing the data themselves, the hackers made public two SQL injection vulnerabilities that can be exploited by anyone with a little bit of knowledge.
The LulzSec members also mentioned that there are "two other databases hosted on this boxxy box" and encouraged people to go for them on their own.
SQL injection vulnerabilities occur when user input is not properly sanitized. They can be exploited by attackers to access the underlying database with the credentials of the vulnerable website.
In addition to the Sony Music Japan problems, a Romanian hacker known as d3v1l has disclosed two more vulnerabilities in Sony web properties.
One is also an SQL injection located in the Sony Pictures Italia website, while the other is a cross-site scripting (XSS) flaw on Sony.com.
What was once revenge for overzealous treatment of hackers by the company, has now been transformed into a game where finding Sony vulnerabilities is a challenge.
Unfortunately, users are caught up in the middle and it seems that personal details and other sensitive information is fair game in this effort to shame the electronics giant.