UW Computer Security Research and Course Blog

The Telegraph, a famous daily newspaper in the UK, was hacked into by a Romanian hacking group last week. The group exposed a weakness in the way the website queried its database for property searches and was able to obtain around 700,000 subscriber email addresses and passwords in plaintext via a SQL injection attack. The Telegraph took down the site and is in the process of rewriting the code to fix the problem, and is telling subscribers to change their passwords for that site and other sites.

It is unknown exactly what exact SQL injection string was used to gain access to the database of user emails and passwords, but SQL injection attacks are not terribly difficult attacks to defend against. Considering the email addresses and passwords were stored in plaintext, and considering the wide range of methods to protect code from SQL injection, it is likely this attack was only possible because the coders of the website were careless and did not think much about security risks when designing the website.

There are several obvious things the programmers could have done to protect themselves from this attack. For one, it is clear that they did not properly validate user input. It’s not clear exactly how vulnerable the search was – whether the input was completely raw or if it just didn’t catch all possible illegal characters – but certainly they should have had extra precautions to sanitize the input strings. They could have also changed the permissions of the database such that users have the least privileges possible. It is unlikely that a user searching a database of properties needs access to the table with passwords and email addresses. Finally, they could have stored encrypted passwords and email addresses. Encryption doesn’t solve all problems, but it is good practice anyway and is part of the system’s defense-in-depth.

This event brings to light several interesting issues. For one, the group who found the bug is a “self-confessed ethical hacker group” called Hackersblog. When they found the bug, they reported it on their blog instead of privately disclosing it to The Telegraph. This is because they feel that everyone (clients included) has the right to know about security vulnerabilities. It does bring up ethical issues, however – no work of code is be perfect, so it’s highly likely that there are going to be security holes somewhere. Does Hackersblog have the right to reveal this information to the public? And is it even a good idea to have a group of “ethical” hackers? (About the group and statement on philosophy)

It is also important to realize how dangerous a leak like this is. Even though getting access to the emails and passwords for newspaper subscriptions does not seem like a very important issue, one must keep in mind that most users have the same password for everything. The article cites that 61% of people use the same password for a variety of websites, so a password leak anywhere can lead to disastrous problems.

Obviously The Telegraph should fix these bugs, but it should also think about how to incorporate more secure practices into all parts of their system. Had they been designing their system with a security mindset all along, it is unlikely such an attack would be possible.