14 DAY TRIAL // Romanian grey-hat hacker Unu has hit the Daily Telegraph website for a second time in under three months and says that the impact of the new vulnerability he found is much more serious than last time. According to the hacker, the weakness allows for the execution of an SQL injection attack and the extraction of the plain-text passwords, as well as personal information, of millions of subscribers.
Details about this security breach have been published on the newly reformed HackersBlog vulnerability-reporting website. Unu, who used to be a HackersBlog member, when the outfit did more than just report such incidents, has made a habit of testing high-profile websites for similar bugs.
The Daily Telegraph has made the subject of his endeavors before, at the beginning of March, when we reported that a vulnerability in a section of the newspaper's website opened the door to over 700,000 e-mail addresses and account passwords. Paul Cheesbrough, chief information officer at Telegraph Media Group, noted at the time that this was a partner site.
The new Proof-of-Concept attack described by Unu leverages an SQLi vulnerability in stats.telegraph.co.uk in order to inject a shell on the web server. Once this is achieved, it's game over in terms of security, as the attacker has full access to all databases. To prove his point, the hacker has made several screenshots available.
Some of the information in the images, such as the poorly sanitized URL parameter or parts of compromised account details, is blotted to prevent ill-intent replication of the attack and to protect the privacy of The Telegraph subscribers. The sensitive user data that can be extracted includes, but is not limited to, full name, e-mail, full address, zip code, country and password in plain text.
Leaving aside the fact that such personal information represents a small fortune for identity thieves, the compromise of passwords alone can have far-reaching implications. Studies show that over 60% of users are re-employing their passwords over multiple accounts and many of them are even using a single one for all accounts.
At the time of writing this article, the vulnerable page was offline. The Telegraph staff are probably in the process of investigating the breach and taking the appropriate actions. However, while they're at it, here's an advice from us, HackersBlog and the vast majority of security professionals out there: Please stop storing passwords in plain text! Store salted hashes instead.
Note: We have contacted The Telegraph on this incident and we will return with more information as/if it becomes available.
