Hackers use blind SQL injection attack to crack Oracle-Sun, MySQL.com

News

Hackers use blind SQL injection attack to crack Oracle-Sun, MySQL.com

Ryan Cloutier, Contributor

Two hackers going by the names TinKode and Ne0h managed to gain access to sensitive information on MySQL.com, the website for the popular open source database.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Auditing your websites for SQL injection is an essential practice, as well as using secure passwords.

Chester Wisniewski,
senior security advisor, Sophos blog, Naked Security

The hackers used a blind SQL injection attack to hack into the website and disclosed details of the breach on The Full Disclosure Mailing List. The two hackers said they breached various databases discovering the password hashes for various usernames associated with the website.

Oracle Corp., which acquired Sun Microsystems in 2009 and included the newly acquired MySQL database division, has not acknowledged the breach. Website vulnerabilities that can be used in a SQL injection attack are common on websites. The vulnerabilities enable attackers to perform a database query to request some action to be performed on a database. If the database returns an error, savvy hackers can use the information to gain wider access to the server containing the underlying website data.

In the data shared by the hackers, some of the password hashes were cracked to reveal complete login details for accounts associated with mySQL.com, including the WordPress account login details for Robin Schumacher, the former director of product management, and Kaj Arnö, former vice president of community relations.

Some of the passwords revealed simple phrases. Schumacher set his password as a simple 4-digit number—with three repeating digits. The hackers also posted several other database tables without the password hashes.

Information relating to Sun.com was also posted. The data consists of a series of columns, tables and databases derived from an SQL injection into Sun's websites. This dump is seemingly devoid of passwords, but it does reveal several company email addresses.

While embarrassing, the flaw is not in the MySQL database management system software, but rather is a website coding vulnerability, said Chester Wisniewski, a senior security advisor, writing in the Sophos blog, Naked Security. Wisniewski said the MySQL website is also subject to ancross-site scripting (XSS) vulnerability that was announced in January 2011 and has yet to be remedied. "Auditing your websites for SQL injection is an essential practice, as well as using secure passwords," Wisniewski wrote. "Either can lead you down a road that ends in tears."