|
|
|
The Web Hacking Incidents Database
Last update:17 February 2008
Full List of Incidents
245 incidents listed
Reported: 17 February 2008Occurred: 09 March 2005
Classifications:
- Attack Method: Insufficient Anti-automation
- Country: USA
- Outcome: Leakage of Information
- Vertical: Information Services
The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.
In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.
As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.
Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.
References:
Reported: 17 February 2008Occurred: 09 November 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Planting of Malware
- Vertical: Media
The web site of a leading Indian newspaper is swamped with malware. A recent survey by WebSense cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.
References:
Reported: 17 February 2008Occurred: 31 January 2008
Classifications:
- Attack Method: Unknown
- Country: Greece
- Outcome: Defacement
- Vertical: Government
This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?
References:
Reported: 17 February 2008Occurred: 23 November 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Global
- Outcome: Defacement
- Vertical: Technology
The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.
References:
Reported: 12 February 2008Occurred: 11 February 2008
Classifications:
- Attack Method: Unknown
- Country: Ecuador
- Outcome: Defacement
- Vertical: Government
Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?
References:
Reported: 12 February 2008Occurred: 10 February 2008
Classifications:
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Korea
- Origin: China
- Outcome: Downtime
- Outcome: Leakage of Information
- Vertical: Retail
A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.
The attack description is vague but can be best described as session hijacking.
This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.
References:
Reported: 10 February 2008Occurred: 09 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Entertainment
Sensitive information about people who created an account on the site leaked and was published through IRC.
References:
Reported: 10 February 2008Occurred: 01 August 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Sports
It is already February, and we still add 2007 incidents. If
you wonder why, it is because organizations such as MLS only now find
out that they were hacked last year! Sometime between January and
August of 2007, names, addresses, credit and debit card data, and
passwords of an unknown number of people, including 169 New Hampshire
residents were stolen from the site.
Why New Hampshire? Because the company has to report to the
authorities there about the incidents, but only specify the number of
individuals from this state affected. Why only New Hampshire? Since
regulations and bills requiring disclosures exist in many states, one
would expect that the company would have to provide such a testimonial
in many states. This incident is another good example of the size of
the hidden part of the iceberg.
References:
Reported: 04 February 2008Occurred: 04 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack method is not known, but it seems very much like a web hack.
References:
Reported: 28 January 2008Occurred: 14 January 2008
Classifications:
- Attack Method: Brute Force
- Country: USA
- Outcome: Monetary Loss
- Vertical: Technology
Kurt already got his free MacWorld pass last year (WHID 2007-14), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.
References:
Reported: 28 January 2008Occurred: 06 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Planting of Malware
- Outcome: Defacement
- Vertical: Government
You dfon
References:
Reported: 28 January 2008Occurred: 21 January 2008
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Drive by Pharming
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Mexico
- Location: Client
- Outcome: Leakage of Information
- Outcome: Monetary Loss
- Software: DSL Router
- Vertical: Finance
Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.
References:
Reported: 28 January 2008Occurred: 07 November 2007
Classifications:
- Attack Method: Administration Error
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Again a Microsoft Excel file was left on a University's web site for anyone to view.
References:
Reported: 22 January 2008Occurred: 20 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Attack Method: Denial of Service
- Attack Method: SQL Injection
- Country: Global
- Country: USA
- Outcome: Defacement
- Outcome: Downtime
- Outcome: Defacement
- Vertical: Entertainment
The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.
References:
Reported: 19 January 2008Occurred: 19 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Disclosure Only
- Vertical: Retail
An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good". The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.
References:
- Online Retailer Settles Charges That It Left Consumer Data Open To Hackers
News Story, Information Week, 18 January 2008
- FTC Wags Finger At Site For Weak Consumer Data Security
News Story, Storefront Backtack, 18 January 2008
- n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046
Case File, Federal Trade Commission, 17 January 2008
Reported: 09 January 2008Occurred: 08 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Italy
- Outcome: Phishing
- Vertical: Finance
It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.
References:
Reported: 08 January 2008Occurred: 28 December 2007
Classifications:
- Attack Method: SQL Injection
- Origin: China
- Outcome: Planting of Malware
An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code. As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users. A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.
References:
- 70,000 Web Pages Hacked By Database Attack
News Story, Information Week, 08 January 2008
- Realplayer Vulnerability
Alert, SANS Internet Storm Center, 04 January 2008
- Massive embedded exploit web site attack underway
Alert, Heise, 08 January 2008
- SQL Injection Attack Infects Thousands of Websites
Technical Analysis, Ryan Barnett, 08 January 2008
- Mass exploits with SQL Injection
Technical Analysis, SANS, 09 January 2008
Reported: 08 January 2008Occurred: 05 January 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV). The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment.... And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.
References:
Reported: 01 January 2008Occurred: 04 May 2007
Classifications:
- Attack Method: Misconfiguration
- Country: UK
- Outcome: Planting of Malware
- Outcome: Leakage of Information
- Vertical: Service Providers
Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites. This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.
References:
Reported: 01 January 2008Occurred: 06 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Turkey
- Outcome: Planting of Malware
- Vertical: Media
Another Malware defacement, but this time at a very prominent web site: MSNBC Turkish edition. There are indications that this is an application layer attack.
References:
Reported: 01 January 2008Occurred: 17 September 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Leakage of Information
- Software: Cerberus Helpdesk
- Vertical: Service Providers
A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.
References:
Reported: 01 January 2008Occurred: 23 May 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Planting of Malware
- Software: cPanel
- Vertical: Service Providers
The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the PlusNet incident which was serious but swiftly handled and publicly acknowledged by the company.
Actually the problem is so dominant that a recent StopBadware report lists Ipower as by far the most Malware infected hosting company. Reports mention that the problem started as early as mid 2006.
The root cause of the breach here is mentioned as being a vulnerability in either Apache, PHP or cPanel. I have selected the third as being more probably until further evidence materialize.
References:
Reported: 01 January 2008Occurred: 23 September 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Planting of Malware
- Software: cPanel
- Vertical: Service Providers
Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.
References:
Reported: 01 January 2008Occurred: 29 January 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Brazil
- Outcome: Disclosure Only
- Vertical: Finance
IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.
Reported by Alexandre Sieira
References:
Reported: 01 January 2008Occurred: 09 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Brazil
- Country: USA
- Origin: Russia
- Outcome: Planting of Malware
- Vertical: Government
RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.
References:
Reported: 01 January 2008Occurred: 07 November 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Defacement
- Vertical: Service Providers
Yet another defacement, but this time at a very major telecommunication provider in India. These are the guys in charge of our network after all!
References:
Reported: 30 December 2007Occurred: 15 December 2007
Classifications:
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: UK
- Origin: Iran
- Outcome: Defacement
- Outcome: Blackmail
Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored. The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.
References:
Reported: 22 December 2007Occurred: 22 December 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: USA
- Outcome: Monetary Loss
- Outcome: Leakage of Information
- Outcome: Identity Theft
- Vertical: Security & Law Enforcement
The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.
The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.
References:
Reported: 20 December 2007Occurred: 20 December 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Origin: Indonesia
- Outcome: Defacement
- Vertical: Security & Law Enforcement
Just like WHID 2007-60, this hack is probably a representative of many other incidents. The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified.
As many you know, the news section is one of the few database driven parts in many mostly static sites, as it allows the site owner to add news without requiring a web designer. Therefore it came as no surprise that the attack was identified by a public source as an SQL injection attack.
References:
Reported: 19 December 2007Occurred: 30 September 2007
Classifications:
- Attack Method: Unknown
- Country: Germany
- Outcome: Leakage of Information
- Vertical: Retail
An unidentified group had stolen credit card numbers and billing addresses of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of Ticketmaster. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de web site between October 24, 2006 and September 30, 2007 were affected.
References:
Reported: 19 December 2007Occurred: 27 October 2007
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Insufficient Authentication
- Attack Method: SQL Injection
- Country: UK
- Outcome: Downtime
- Software: WordPress
- Vertical: Education
This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.
I am sure that the guys at Light Blue Touchpaper have the
expertise to protect their WordPress installation, but they
don’t have the time. They made the compromise between ease of
management of their web site and its security. Actually my personal blog might be
just as vulnerable, since as I write this I am very much not paying
attention to its security.
Apart from, or actually because of the fact that the
victims are security experts, this story is noteworthy due to two
additional twists in the plot:
- Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
- The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
References:
Reported: 19 December 2007Occurred: 26 November 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Link Spam
- Software: WordPress
- Vertical: Politics
Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.
References:
Reported: 19 December 2007Occurred: 19 December 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Worm
- Vertical: Internet
A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.
References:
Reported: 19 December 2007Occurred: 01 December 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Canada
- Outcome: Disclosure Only
- Vertical: Government
The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.
References:
Reported: 19 December 2007Occurred: 28 June 2007
Classifications:
- Attack Method: Insufficient Anti-automation
- Country: USA
- Country: Canada
- Vertical: Internet
Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler. Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke.
References:
Reported: 19 December 2007Occurred: 17 December 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: UK
- Outcome: Link Spam
- Software: WordPress
- Vertical: Media
In an incident very similar to the Al Gore Hack, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins.
References:
Reported: 19 December 2007Occurred: 14 December 2007
Classifications:
- Attack Method: Unknown
- Country: France
- Country: Libya
- Outcome: Planting of Malware
- Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more popular, the number of incidents, mostly insignificant, in which malware was planted on a hacked site is rising and WHID is not the right place to list all of them. We currently report such incidents if the hacked site is of interest or if the attack method is known.
References:
Reported: 19 December 2007Occurred: 01 December 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school.
References:
Reported: 21 November 2007Occurred: 20 November 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Planting of Malware
- Vertical: Internet
A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.
References:
Reported: 20 November 2007Occurred: 01 March 2005
Classifications:
- Attack Method: Abuse of Functionality
- Country: USA
- Outcome: Monetary Loss
A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.
References:
Reported: 07 November 2007Occurred: 18 September 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Media
Vertical Web Media, publisher of Internet Retailer magazine, suffered a security http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/breach and credit card information of readers had been stolen. The Irony is that Internet Retailed magazine is covering the risks of e-commerce. While the actual technique used is not known, signs are that it was a web hack as it was done by a distributed network of bots all over the world and since the information stolen belonged to customers who paid online. The information stolen includes names, addresses, e-mail addresses, phone numbers, credit card account numbers and card expiration dates. The number of records stolen is unknown.
References:
Reported: 07 November 2007Occurred: 11 September 2007
Classifications:
- Attack Method: Unknown
- Country: New Zealand
- Outcome: Information Warfare
- Outcome: Leakage of Information
- Vertical: Government
An attack on New Zealand government web sites required New Zealand Prime Minister, Helen Clark to comment and ensure the public that no confidential information was stolen. However official sources in New Zealand confirm attacks were carried out by unnamed, but known, foreign governments on New Zealand government web site that resulted in stealing of information.
References:
Reported: 07 November 2007Occurred: 23 September 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Disclosure Only
- Vertical: Retail
A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.
References:
Reported: 07 November 2007Occurred: 03 October 2007
Classifications:
- Attack Method: unknown
- Country: China
- Outcome: Planting Of Malware
- Vertical: Media
Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.
References:
Reported: 07 November 2007Occurred: 17 September 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: UK
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.
While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.
References:
Reported: 07 November 2007Occurred: 02 November 2007
Classifications:
- Attack Method: Redirection
- Country: Global
- Outcome: Phishing
- Vertical: Internet
While most WHID entries are about web
site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them
to include a honest looking URL in their e-mail, this way bypassing
spam filters and observant users.
Symantec response team found actively
used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to
the first result of a search. All the spammer is left with is finding a
query for which his site would pop up first on Google.
This method has another advantage over a redirection page,
as the final target is specified by a search string and not by a URL,
bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.
References:
Reported: 05 November 2007Occurred: 05 November 2007
Classifications:
- Attack Method: Denial of Service
- Country: Australia
- Outcome: Loss of Sales
- Vertical: Retail
Seems that the there is a new trend to disrupt on line bidding using denial of service attacks. In this case, an auction for 37 very expensive watches was halted 20 minutes before the end as the site crashed, in what official sources describe as a hacker attack that did not result in a site compromise.
References:
Reported: 04 November 2007Occurred: 30 September 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.
References:
Reported: 29 October 2007Occurred: 28 October 2007
Classifications:
- Attack Method: Unknown
- Country: Global
- Outcome: Leakage of Information
- Vertical: Retail
A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.
References:
Reported: 25 October 2007Occurred: 01 November 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
We somehow missed this story so it finds its way to WHID only now in late 2007.
References:
Reported: 25 October 2007Occurred: 23 October 2007
Classifications:
- Attack Method: Denial of Service
- Country: USA
- Outcome: Loss of Sales
- Vertical: Sports
The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.
Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.
References:
Reported: 17 October 2007Occurred: 09 October 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.
References:
Reported: 12 October 2007Occurred: 10 October 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.
References:
Reported: 11 October 2007Occurred: 02 October 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.
References:
Reported: 10 October 2007Occurred: 09 October 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Australia
- Outcome: Defacement
- Vertical: Politics
Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"
References:
Reported: 10 October 2007Occurred: 06 October 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Loss of Sales
- Vertical: Retail
A hacker exploited a leftover admin function on eBay to block users and close sales.
References:
Reported: 03 September 2007Occurred: 29 August 2007
Classifications:
- Attack Method: Unknown
- Country: Spain
- Outcome: Defacement
- Vertical: Government
Yet another defacement, and as usual in the political arena.
However, this one is worth a note as the attack is very targeted, while
usually such political defacements are carried quote randomly against
sites loosely related to the opponent and usually has little to do with
the actual message the attackers want to convey. In this case the
defacement seems to be a direct response to the hot debate about
housing prices in Spain.
References:
Reported: 03 September 2007Occurred: 02 September 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Planting of Malware
- Vertical: Finance
This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.
Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.
Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.
References:
Reported: 02 September 2007Occurred: 29 August 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: New Zealand
- Country: New Zealand
- Outcome: Defacement
- Vertical: Media
Still defacement but this time with a twist. This was a genuine XSS rewriting attack, and was carried out by well known people as a stunt. No information is provided on how the XSS vector found its way to the victim computers.
References:
Reported: 02 September 2007Occurred: 20 August 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Defacement
- Vertical: Government
Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.
References:
Reported: 30 August 2007Occurred: 24 July 2007
Classifications:
- Attack Method: Unknown
- Country: Peru
- Outcome: Defacement
- Vertical: Politics
Defacements seem to start dominating this list. Alas, they are the most obvious web site hacks out there. While not every defacement is reported in the Web Hacking Incidents Database, key ones are. I included this one since the attacked web site is significant, and since it emphasizes what is becoming a major goal of attacking: politics and international affairs.
As a side note, this incident is also interesting because it was repeated after discovered and presumably fixed, which goes a long way to show how much effort there is in protecting web sites and how difficult it cab be.
References:
Reported: 30 August 2007Occurred: 07 August 2007
Classifications:
- Attack Method: SQL Injection
- Attack Method: OS Commanding
- Vertical: Technology
This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process.
What can we learn from this? That no server is secure, and that patching is hard.
References:
Reported: 14 August 2007Occurred: 31 December 2005
Classifications:
While lacking in technical details, this story is certainly juicy. It demonstrates well the business use of web site hacking. The downside is that the hacker got only a minimal punishment, which unless the incident itself is overrated in the media, is a very bad sign on how courts view computer crime.
References:
Reported: 13 August 2007Occurred: 12 August 2007
Classifications:
- Attack Method: SQL Injection
- Country: United Nations
- Outcome: Defacement
- Vertical: Government
Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.
The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details
References:
Reported: 12 August 2007Occurred: 01 August 2007
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: OS Commanding
- Country: Germany
- Outcome: Downtime
- Software: Confixx
- Vertical: Service Providers
A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.
References:
Reported: 30 July 2007Occurred: 25 July 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Leakage of Information
- Vertical: Health
In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.
References:
Reported: 25 July 2007Occurred: 23 July 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Media
Fox News left non public files on a directory accessible to everyone on their web server.
References:
Reported: 22 July 2007Occurred: 20 July 2007
Classifications:
- Attack Method: Unknown
- Country: Thailand
- Outcome: Defacement
- Vertical: Government
While defacements are usually not the bread and butter of this database, when it hits an important government site, especially of a ministry in charge of information technology, it is worth mentioning it.
References:
Reported: 01 July 2007Occurred: 17 May 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Germany
- Outcome: Disclosure Only
- Vertical: Finance
I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.
References:
Reported: 01 July 2007Occurred: 15 June 2007
Classifications:
- Attack Method: Unknown
- Outcome: Leakage of Information
Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?
References:
Reported: 01 July 2007Occurred: 27 June 2007
Classifications:
- Attack Method: SQL Injection
- Country: UK
- Outcome: Defacement
- Vertical: Technology
Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.
References:
Reported: 26 June 2007Occurred: 22 June 2007
Classifications:
- Attack Method: Unknown
- Country: Belgium
- Outcome: Defacement
- Vertical: Security & Law Enforcement
As you may know, defacement usually do not find their way to WHID, especially if the method used is not known. However, since in this case the victim was the Belgian police, I though it is worth including.
References:
Reported: 17 June 2007Occurred: 13 June 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: Jamaica
- Country: USA
- Outcome: Deceit
- Vertical: Government
If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.
While this might be classified as a business process design flaw, isn't security also about this?
References:
Reported: 12 June 2007Occurred: 19 April 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.
References:
Reported: 12 June 2007Occurred: 03 June 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.
This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.
References:
Reported: 12 June 2007Occurred: 10 June 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Defacement
- Vertical: Government
The web site of the chief minister of Kerala (an Indian State) was hacked and defaced. The local police has contacted the Interpol to help in finding who is behind the web site hacking.
References:
Reported: 12 June 2007Occurred: 11 June 2007
Classifications:
- Attack Method: Insufficient Anti-automation
- Attack Method: Insufficient Session Expiration
- Country: USA
- Outcome: Deceit
- Vertical: Media
The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.
The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.
This story remind an older story about a predictable delay in a poker game that enabled gamblers to beat the house.
References:
Reported: 12 June 2007Occurred: 30 May 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Internet
Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.
References:
Reported: 12 June 2007Occurred: 19 May 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Approximately 1100 students and faculty members' personal information records which includes social security numbers were exposed by a vulnerable web application at the Molecular and Cellular Biology program at the University of Iowa. The report suggests that the application was actually compromised.
References:
Reported: 17 May 2007Occurred: 15 January 2007
Classifications:
- Attack Method: SQL Injection
- Country: Belgium
- Origin: Turkey
- Outcome: Defacement
- Vertical: Security & Law Enforcement
The site of the Belgian Defense Ministry was defaced by Turks who protested a pro-Kurdish remarks by the Belgian government.
References:
Reported: 14 May 2007Occurred: 10 May 2007
Classifications:
- Attack Method: SQL Injection
- Country: Sweden
- Outcome: Leakage of Information
- Vertical: Internet
Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found.
This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.
References:
Reported: 09 May 2007Occurred: 08 May 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.
References:
Reported: 06 May 2007Occurred: 03 May 2005
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Origin: Saudi Arabia
- Outcome: Defacement
- Vertical: Technology
This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!
References:
Reported: 26 April 2007Occurred: 23 April 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Australia
- Outcome: Leakage of Information
- Vertical: Media
The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!
References:
Reported: 23 April 2007Occurred: 23 April 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Government
Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.
References:
Reported: 18 April 2007Occurred: 01 November 2005
Classifications:
- Attack Method: SQL Injection
3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.
As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.
References:
Reported: 05 April 2007Occurred: 09 February 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Defacement
- Vertical: Education
Two girls modified a schools home page by adding a note that school was closed due to a snow storm. The attack was probably done using a rouge admin accounts.
References:
Reported: 02 April 2007Occurred: 11 January 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: USA
- Outcome: Loss of Sales
- Vertical: Technology
A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.
References:
Reported: 02 April 2007Occurred: 22 December 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Zone-h is one of the best (well, the best, not just one of them) web sites to follow if you interested in what the bad guys do. Their account of how their own web site was defaced is a classic. And no, it was not their fault. The incident shows how a seemingly minor vulnerability in a major web site (a hotmail XSS bug), can be used to deface another, unrelated site in a very elaborate and targeted attack.
References:
Reported: 02 April 2007Occurred: 21 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
The personal information of about 3,000 current and former Georgia Tech employees may have been compromised. The informatoin included names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers.
References:
Reported: 02 April 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Country: Germany
- Outcome: Disclosure Only
- Vertical: Retail
While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.
References:
Reported: 30 March 2007Occurred: 27 November 2006
Classifications:
A small credit union web site was hacked and the traffic redirected to a pharming site. About 180 users where redirected, out of which 12 where tricked into providing their personal information to the attackers. $500 are known to have been stolen from one of the victims.
References:
Reported: 30 March 2007Occurred: 02 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Planting of Malware
- Vertical: Sports
Hackers penetrated the Dolphins stadium web site just days before the Super Bowl was held there and modified the home page to include a Trojan inflecting script.
References:
Reported: 30 March 2007Occurred: 29 January 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Canada
- Outcome: Defacement
- Vertical: Technology
Nokia's Canadian Web Site was defaced using an XSS attack.
References:
Reported: 30 March 2007Occurred: 17 December 2006
Classifications:
- Attack Method: Content Spoofing
A Korean shopping system was vulnerable to hidden field manipulation and a determined hacker purchased $6000 worth of merchandize at 45 stores for much less.
References:
Reported: 29 March 2007Occurred: 23 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
Names and social security numbers of former employees of Fruit of the Loom where available for download from the company's web site.
References:
Reported: 29 March 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Other
- Outcome: Planting of Malware
- Software: WordPress
Backdoor was planted in a new official release of WordPress, the most popular blogging software in the world. It was available for download for a few days before the backdoor was located.
References:
Reported: 29 March 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Health
Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.
The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.
References:
Reported: 29 March 2007Occurred: 18 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Identity Theft
- Outcome: Monetary Loss
- Outcome: Leakage of Information
- Vertical: Retail
11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.
The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.
References:
Reported: 29 March 2007Occurred: 27 March 2007
Classifications:
- Attack Method: Misconfiguration
- Country: USA
- Outcome: Defacement
- Vertical: Politics
An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.
References:
Reported: 27 March 2007Occurred: 10 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
A student at a community college in Sacramento who was "Googling" himself last month found his name, among 2000 others, in a file accidentally left by school staff online and picked by Google crawler.
References:
Reported: 26 March 2007Occurred: 10 March 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.
References:
Reported: 26 March 2007Occurred: 03 January 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Government
On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site. While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.
References:
Reported: 27 July 2006Occurred: 26 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Most XSS vulnerabilities are benign. In many cases they are hardly exploitable. In this case Netscape's new digg like shared news site was hacked using a persistent XSS attack, so every viewer of the site was attacked, luckily only to show funny dialog boxes.
References:
- Netscape.com hacked
Blog Entry, F-Secure, 26 July 2006
- Netscape.com hit with cross-site scripting attack
News Story, Search Security, 26 July 2006
- AOL Fixes Netscape.com XSS Hack
News Story, Beta News, 26 July 2006
- Netscape Hacked, Professor Denies Sexiness Claims
News Story, SecurityPro News, 26 July 2006
- NetScape.com - JavaScript Exploit Embaressment
Blog Entry, Threadwatch.org, 26 July 2006
Reported: 24 July 2006Occurred: 12 July 2006
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.
References:
Reported: 24 July 2006Occurred: 16 June 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.
References:
Reported: 24 July 2006Occurred: 16 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Worm
MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.
References:
Reported: 24 July 2006Occurred: 30 June 2006
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.
References:
Reported: 24 July 2006Occurred: 16 June 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Abuse of Functionality
A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.
References:
Reported: 24 July 2006Occurred: 04 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any Google resource.
References:
Reported: 09 May 2006Occurred: 05 May 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A researcher found that the login error page on this sites can be injected.
References:
Reported: 09 May 2006Occurred: 21 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Yahoo mail does not filter properly the CSS "expression" keyword when it includes a comment that is encoded.
References:
Reported: 09 May 2006Occurred: 03 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
This community site allows including scripts in multiple locations including ones personal profile thus enabling XSS.
References:
Reported: 09 May 2006Occurred: 04 May 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Alexadex is an online investment game. There is an XSS vulnerability in the group adding functionality.
References:
Reported: 09 May 2006Occurred: 28 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Libero.it is a Web portal of big Italian ISP offering dial-up, Broadband and talk services. A script on it's customer service pages which enabled a connection speed test is vulnerable to XSS.
References:
Reported: 30 April 2006Occurred: 25 April 2006
Classifications:
- Attack Method: OS Commanding
A hacker successfully abuse a vulnerability in Horde to penetrate a site owned by the National Security Agency of the Slovak Republic
References:
Reported: 20 April 2006Occurred: 01 September 2004
Classifications:
- Attack Method: SQL Injection
This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.
But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.
Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.
This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.
References:
- Cleaning up after a hack job: CardSystems' Christensen
News Story, Information Security (mirror), 14 April 2006
- FTC complain In the Matter of CardSystems Solutions
Legal Document, FTC,
- Midrange CardSystems Wiki
Wiki, Midrange,
- CardSystems was a Web Application Hack
Mailing List Post, Cesar Cerrudo, Argeniss, 18 April 2006
- CardSystems Exposes 40 Million Identities
Blog Entry, Bruce Schneier, 23 June 2005
Reported: 20 April 2006Occurred: 29 March 2006
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
www.incredibleindia.org is official Indian government tourism website.
The researcher has found that the parameter PageID in the page ms_Page.asp is vulnerable to SQL injection. He further tested that SQL error messages enable standard probing methods for finding out the number of columns and their type work.
References:
Reported: 20 April 2006Occurred: 16 April 2006
Classifications:
Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail accounts. The e-mail client is web based with a browser embedded in the communicator software. Certain webmail servers do not validate e-mail subject for HTML tags, allowing attacker to inject script code.
References:
Reported: 18 April 2006Occurred: 17 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Phishing
An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.
References:
Reported: 12 April 2006Occurred: 01 January 2006
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
A CIO of a bank in Singapore reports that many application layer vulnerabilities, including SQL injection, where discovered in a banking application they purchased before it was put into production.
References:
Reported: 12 April 2006Occurred: 24 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Sourceforge download pages are vulnerable to XSS
References:
Reported: 12 April 2006Occurred: 12 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Everyone.net login script (loginuser.pl) is prone to a cross site scripting attack in the variable loginName.
References:
Reported: 12 April 2006Occurred: 20 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
The $a variable in Hotmail's inbox is vulnerable to cross site scripting vulnerability. Exploit requires the victim to open the email message.
References:
Reported: 12 April 2006Occurred: 18 October 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.
References:
Reported: 12 April 2006Occurred: 10 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
ICQ.com search script (search_result.php) is vulnerable to cross-site scripting attacks. This problem is due to a failure
in the application to properly sanitize user input, the input can be passed to the vulnerable script in 2 variables
(gender and home_country_code).
References:
Reported: 10 April 2006Occurred: 09 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Sourceforge forums search is vulnerable to XSS
References:
Reported: 10 April 2006Occurred: 04 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Yet another Google XSS. This time it seems to hit Arabic variant of the main search site. It seems that the actual language selector parameter enables the attack.
References:
Reported: 10 April 2006Occurred: 05 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Forget putting <script> tags in input field. This high tech vulnerability exploits the code handling online/offline flags by inserting a malicious online/offline flag. Awesome.
References:
Reported: 10 April 2006Occurred: 05 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Israblog is a large Israeli blogging site. A hacker used XSS to hijack bloggers sessions and deface them. The defacing was used to inform the world that Israblog lead developer is a bad programmer.
References:
Reported: 10 April 2006Occurred: 31 March 2006
Classifications:
- Attack Method: Insufficient Authentication
A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy. The service redirected users to a different server and propagated the user information in a hidden field without re-authenticating.
References:
Reported: 04 April 2006Occurred: 19 April 1999
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Disclosure Only
A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.
References:
Reported: 04 April 2006Occurred: 20 March 2006
Classifications:
- Attack Method: Weak Password Recovery Validation
- Outcome: Disclosure Only
A UK Security Consulting firm reports that 54 UK sites that it has surveyed have flaws in the "forgotten password" feature.
References:
Reported: 04 April 2006Occurred: 06 March 2003
Classifications:
- Attack Method: Brute Force
While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system.
55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation.
References:
Reported: 04 April 2006Occurred: 04 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
eBay contains a cross-site scripting vulnerability. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description which creates a cross-site scripting vulnerability in the eBay website
References:
Reported: 04 April 2006Occurred: 17 March 2006
Classifications:
In this very interesting attack a hacker broke into the informational web sites of several smaller banks in Florida. He than changed the link on the informational pages that points to the outsourced transactional web site to point to his own phishing site.
While the vulnerability that enabled the hacker to penetrate the informational sites is not known, this is a very interesting example of a targeted web attack. It highlights the importance of protecting every web site and not just the core business logic.
References:
Reported: 29 March 2006Occurred: 28 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Hotmail's filtering engine insufficiently filters JavaScript scripts. It is possible to write JavaScript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. JavaScript must be Unicode encoded in order to fool the filter. This encoding is recognized with IE >= 6
References:
Reported: 22 March 2006Occurred: 16 March 2006
Classifications:
A musical instrument and sound gear Web site that advertises its relationship with artists such as Dave Matthews, Carlos Santana and Mary J. Blige was breached and notified some customers that their credit card information may have been stolen.
References:
Reported: 22 March 2006Occurred: 13 February 2006
Classifications:
A site of a minor league baseball team was hacked and personal details of fans was stolen.
References:
Reported: 05 March 2006Occurred: 02 March 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A 14 years old claims to have discovered an XSS flaw in Google's Gmail. Comments have been mixed, and Google did not comment, so either the flaw was fixed pretty fast, or did not exits.
References:
Reported: 05 March 2006Occurred: 25 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Links sent to a user as part of the mail content are not properly sanitized, so a user receiving such mail and activating a link would be affected.
References:
Reported: 05 March 2006Occurred: 22 February 2006
Classifications:
- Attack Method: Redirection
- Outcome: Disclosure Only
Google reader allows redirection so sites can fool users to subscribe to malicious content.
References:
Reported: 05 March 2006Occurred: 02 March 2006
Classifications:
- Attack Method: SQL Injection
A mass defacement of a Philippine hosting service was carried our using SQL injection. It accidentally also defaced the site of the National Union of Journalists of the Philippines, which led some to believe that it was a targeted political attack.
References:
Reported: 03 March 2006Occurred: 28 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Unlike other XSS cases, this was discovered due to actual abuse on a specific auction at EBay.
References:
- Ebay XSS
Mailing List Post, Full Disclosure, 28 February 2006
Reported: 28 February 2006Occurred: 21 November 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
XSS in Google Base search function
References:
Reported: 28 February 2006Occurred: 23 November 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.
References:
Reported: 28 February 2006Occurred: 24 December 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.
References:
Reported: 28 February 2006Occurred: 18 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies
References:
Reported: 28 February 2006Occurred: 05 December 2005
Classifications:
- Attack Method: Abuse of Functionality
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.
References:
Reported: 28 February 2006Occurred: 21 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.
References:
- XSS vulnerabilities in Google.com
Advisory, Watchfire, 21 December 2005
- Google Cross-Site Scripting Flaw Fixed
News Story, Beta News, 21 December 2005
- Google plugs 'obscure' phishing holes
News Story, CNet, 21 December 2005
- Google XSS Example
Blog Entry, Chris Shiflett, 21 December 2005
- Google's XSS Vulnerability
Blog Entry, Chris Shiflett, 21 December 2005
Reported: 28 February 2006Occurred: 22 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.
References:
Reported: 26 February 2006Occurred: 09 December 2005
Classifications:
A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked.
References:
Reported: 26 February 2006Occurred: 01 November 2005
Classifications:
- Attack Method: SQL Injection
A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.
References:
Reported: 26 February 2006Occurred: 17 January 2006
Classifications:
- Attack Method: Insufficient Anti-automation
A hoster was broken into by brute forcing passwords in a management interface. Sites of many clients, including three municipalities where defaced.
References:
Reported: 26 February 2006Occurred: 13 January 2006
Classifications:
- Attack Method: SQL Injection
Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies. The hackers claimed to have stolen 53,000 credit card numbers, while the hosting service provider claims the number was just 4113.
The technical reference site is in Russian, you can use Applied Languages Solutions for an online translations.
References:
Reported: 26 February 2006Occurred: 02 January 2006
Classifications:
- Attack Method: HTTP Response Splitting
- Outcome: Disclosure Only
References:
Reported: 26 February 2006Occurred: 21 December 2005
Classifications:
User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software.
References:
Reported: 26 February 2006Occurred: 27 December 2005
Classifications:
- Attack Method: Unknown
- Outcome: Disclosure Only
Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others
References:
Reported: 26 February 2006Occurred: 01 October 2003
Classifications:
A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million.
References:
Reported: 26 February 2006Occurred: 01 July 2005
Classifications:
- Attack Method: Known Vulnerability
- Outcome: Disclosure Only
An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel. The audit focused on lack of monitoring for known vulnerabilities on these systems.
References:
Reported: 26 February 2006Occurred: 13 January 2006
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.
References:
Reported: 26 February 2006Occurred: 14 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.
References:
Reported: 10 November 2005Occurred: 21 October 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
XSS in Yahoo mail, Allows phishing
References:
Reported: 10 November 2005Occurred: 21 October 2005
Classifications:
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
The software has a default password for teachers, enabling anyone to access the system with teachers privileges.
References:
Reported: 10 November 2005Occurred: 10 October 2005
Classifications:
- Attack Method: Other
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: 10 November 2005Occurred: 07 November 2005
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 08 November 2005Occurred: 25 May 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: 08 November 2005Occurred: 06 December 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Content Spoofing
Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)
References:
Reported: 08 November 2005Occurred: 04 October 2005
Classifications:
- Attack Method: OS Commanding
Exploited unpatched Twiki
References:
Reported: 08 November 2005Occurred: 10 March 2005
Classifications:
- Attack Method: Insufficient Authorization
References:
Reported: 08 November 2005Occurred: 04 October 2005
Classifications:
Script upload due to a scoop known vulnerability
References:
Reported: 08 November 2005Occurred: 10 April 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Worm
The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.
References:
- My Lunch With Samy
Blog Entry, ha.ckers, 10 March 2007
- MySpace XSS worm writer notes
Hacker Notes, bindshell, 10 April 2005
- MySpace XSS worm source
Technical Description, bindshell, 10 April 2005
- MySpace XSS virus development
Technical Description, bindshell, 10 April 2005
- Cross-Site Scripting Worm Hits MySpace
News Story, Beta News, 10 April 2005
Reported: 08 November 2005Occurred: 02 November 2005
Classifications:
- Attack Method: Insufficient Authorization
Business wire allowed access to non published press releases.
References:
Reported: 08 November 2005Occurred: 28 October 2005
Classifications:
- Attack Method: Other
- Attack Method: Insufficient Authorization
Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.
References:
Reported: 12 September 2005Occurred: 08 September 2005
Classifications:
- Attack Method: Unknown
- Attack Method: Denial of Service
Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities
References:
Reported: 12 September 2005Occurred: 07 September 2005
Classifications:
A 12 years old guess login information of a woman and abused her account, stealing game items from her.
References:
Reported: 04 September 2005Occurred: 29 August 2005
Classifications:
- Attack Method: Abuse of Functionality
A player of an online game discovered that considerable delay hinted on the cards the dealer holds.
References:
Reported: 23 August 2005Occurred: 21 August 2005
Classifications:
- Attack Method: OS Commanding
Sites where defaced by utilizing an issue in an XMLRPC library used by PHP
References:
Reported: 22 August 2005Occurred: 18 August 2005
Classifications:
- Attack Method: Insufficient Authentication
References:
Reported: 22 August 2005Occurred: 12 August 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle
References:
Reported: 08 August 2005Occurred: 03 August 2005
Classifications:
- Attack Method: Weak Password Recovery Validation
- Outcome: Disclosure Only
Weak password recovery procedure at Citrix
References:
Reported: 08 August 2005Occurred: 29 July 2005
Classifications:
A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site
References:
Reported: 04 August 2005Occurred: 01 August 2005
Classifications:
References:
Reported: 04 August 2005Occurred: 31 July 2005
Classifications:
Official answer from Blogger. "This was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 26 January 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 26 January 2004
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 06 September 2001
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 31 July 2005Occurred: 26 July 2005
Classifications:
A man hacked into a competing web site
References:
Reported: 31 July 2005Occurred: 30 July 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society
References:
Reported: 31 July 2005Occurred: 28 July 2005
Classifications:
- Attack Method: Path Traversal
- Outcome: Disclosure Only
References:
Reported: 15 July 2005Occurred: 15 July 2005
Classifications:
References:
- Firefox marketing site hacked
News Story, Zdnet, 15 July 2005
- Firefox marketing site hacked
News Story, C-Net, 15 July 2005
- Promotional firefox community site hacked
News Story, ars technica, 15 July 2005
- SpreadFirefox Site Hacked, Data Leaked
News Story, eWeek, 15 July 2005
- Spread Firefox Downtime
Official Response, Spread Firefox, 15 July 2005
- Mozilla marketing site hacked
News Story, Network World, 15 July 2005
Reported: 11 July 2005Occurred: 14 January 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in Froogle
References:
Reported: 11 July 2005Occurred: 12 January 2005
Classifications:
- Attack Method: Unknown
- Outcome: Disclosure Only
Parameter tampering enabled exposing sensitive information in G-Mail
References:
Reported: 11 July 2005Occurred: 27 October 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in G-Mail
References:
Reported: 11 July 2005Occurred: 27 December 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in Lycos Web Mail
References:
Reported: 11 July 2005Occurred: 22 February 2005
Classifications:
- Attack Method: OS Commanding
- Attack Method: Weak Password Recovery Validation
- Attack Method: Insufficient Authentication
Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic
References:
Reported: 11 July 2005Occurred: 06 July 2005
Classifications:
Microsoft UK site defaced due to server misconfiguration
References:
Reported: 11 July 2005Occurred: 21 September 2002
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
References:
Reported: 11 July 2005Occurred: 07 July 2005
Classifications:
- Attack Method: SQL Injection
The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.
References:
Reported: 08 April 2005Occurred: 08 March 2005
Classifications:
- Attack Method: Unknown
- Outcome: Disclosure Only
An undisclosed application security issue on Cisco web site required resetting passwords for all registered users.
References:
- Cisco.com passwords reset after Web site exposure
News Story, Computer World, 08 March 2005
- Cisco Web Site Breached by Hackers
News Story, Beta News, 08 March 2005
- Cisco warns customers of site breach
News Story, Cnet, 08 March 2005
- Cisco Connection Online Compromised?
Mirror of Victim's Response, TaoSecurity Blog, 08 March 2005
- Cisco Web Portal Password Security Compromised
News Story, eWeek, 08 March 2005
Reported: Occurred: 27 June 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: Occurred: 05 December 2003
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: Occurred: 28 September 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Phishing
- Vertical: Finance
Phishing based on XSS
References:
Reported: Occurred: 01 February 2005
Classifications:
- Attack Method: Directory Indexing
- Attack Method: Insufficient Authentication
- Outcome: Leakage of Information
Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords
References:
Reported: Occurred: 04 March 2004
Classifications:
- Attack Method: Insufficient Authorization
Previously moderated weather announcements could be changed by the user
References:
Reported: Occurred: 31 December 2003
Classifications:
- Attack Method: SQL Injection
- Attack Method: Cross Site Scripting (XSS)
References:
Reported: Occurred: 23 February 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site
References:
Reported: Occurred: 05 May 2005
Classifications:
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
Extranet system accessible to the public
References:
Reported: Occurred: 05 December 2002
Classifications:
- Attack Method: Credential/Session Prediction
View other customers orders by changing a guessable number within a URL parameter
References:
Reported: Occurred: 04 June 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
- Microsoft fixes Hotmail hack
News Story, VUnet, 09 June 2005
- Hotmail users exposed to cookie snaffling exploit
News Story, The Registrer, 08 June 2005
- MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes
News Story, PC Magazine, 07 June 2005
- MSN flaw put Hotmail accounts at risk
News Story, CNet, 06 June 2005
- Hacking hotmail, by Alex de Vries
Technical Information, Personal Web Page, 04 June 2005
Reported: Occurred: 14 June 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A billing information system required only phone number and zip code to pull up account details
References:
Reported: Occurred: 05 July 2005
Classifications:
- Attack Method: SQL Injection
- Attack Method: OS Commanding
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.
References:
Reported: Occurred: 21 August 2001
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Users who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs.
References:
Reported: Occurred: 15 December 2000
Classifications:
- Attack Method: OS Commanding
Executing local commands using URL parameters
References:
Reported: Occurred: 10 September 2000
Classifications:
- Attack Method: Misconfiguration
- Attack Method: Failure to Restrict URL Access
- Country: USA
Sensitive files were left in a publicly accessible directory during a maintenance window
References:
Reported: Occurred: 29 July 2005
Classifications:
References:
Reported: Occurred: 29 November 2002
Classifications:
A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.
References:
Reported: Occurred: 16 February 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.
References:
Reported: Occurred: 27 May 2005
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
Files containing sensitive information left unprotected on the web server
References:
Reported: Occurred: 25 September 2003
Classifications:
- Attack Method: Predictable Resource Location
- Outcome: Leakage of Information
User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.
References:
Reported: Occurred: 06 September 2000
Classifications:
- Attack Method: Abuse of Functionality
- Country: USA
- Outcome: Leakage of Information
E-mail addresses of other customers displayed by mistake, no hacking was required
References:
Reported: Occurred: 13 September 2000
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Leakage of Information
View other customers orders by changing a sequential number within a URL parameter
References:
Reported: Occurred: 22 January 2001
Classifications:
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Sensitive files were left in a publicly accessible directory of a new web server install
References:
Reported: Occurred: 18 June 2001
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
View other orders by changing a sequential parameter number. Security was provided by client side JavaScript
References:
Reported: Occurred: 03 August 2001
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Persistent XSS HTML Injection inside an HTML email message to hotmail
References:
Reported: Occurred: 05 November 2001
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: Occurred: 09 July 2002
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
Opening an account with a discontinued e-mail address exposes all the information of the discontinues account
References:
Reported: Occurred: 13 February 2003
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
View other customers information by modifying a cookie
References:
Reported: Occurred: 21 December 2004
Classifications:
- Attack Method: OS Commanding
Worm used Google to locate sites vulnerable to OS
References:
Reported: Occurred: 18 June 2003
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: Occurred: 30 June 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: Occurred: 24 October 2003
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
View other customers orders by changing a sequential number within a URL parameter
References:
Reported: Occurred: 05 June 2005
Classifications:
References:
Reported: Occurred: 03 June 2005
Classifications:
The web site was modified to include password stealing code
References:
Reported: Occurred: 18 May 2005
Classifications:
- Attack Method: SQL Injection
References:
| |
