Imperva has now analyzed the hack in its latest Hacker Intelligence Initiative report, Lessons Learned From the Yahoo! Hack, published today; and demonstrates how easy SQL injection attacks can be. It even points to the free Iranian Havij abuse tool that provides support for such attacks, and explains how ViruS_HimA’s SQL injection attack was probably done. The value of the report, however, is not in explaining the modus of SQL injection – it is already well-known to be one if the most commonly exploited attack methods – but in analyzing this particular hack with a view to preventing similar future attacks.
The problem in this instance was not, in fact, Yahoo – it was in third-party software provided to and used by Yahoo. “The vulnerable application,” explains Imperva, “was probably not coded by the Yahoo! team, and not even hosted on Yahoo!’s server farm. This left Yahoo! with full responsibility for securing the application on one hand, and a very limited capability to actually control the code, on the other hand.” It is a growing problem. According to the PricewaterhouseCoopers’ 2012 Global State of Information Security Survey, 23.6% of respondents said that cloud computing has increased vulnerabilities, and the largest perceived risk is the uncertain ability to enforce provider security policies.
Since the buyer has no direct control over the code but is liable for the effect of any failures, Imperva suggests that business “executives should always assume third-party code – coming from partners, vendors, mergers and acquisitions – contains serious vulnerabilities,” and act accordingly. Largely, this includes more rigorous contractual terms with the supplier on what is and is not acceptable. The buyer should also conduct penetration tests and vulnerability assessments against the application. Even here Imperva’s Tal Be'ery warned Infosecurity that such tests are a slice in time – they will not throw up unknown vulnerabilities – so the application must be deployed behind a web application firewall.
“The weak link in the Yahoo! attack was not programmed by Yahoo! developers, nor was it even hosted on the Yahoo! Servers, and yet the company found itself breached as a result of third-party code,” said Amichai Shulman, CTO at Imperva. “The challenge presented by the Yahoo! breach is that Web-facing businesses should take responsibility to secure third-party code and cloud-based applications.”
But there is another lesson that could be taken from the incident. A month before the Yahoo incident, ViruS_HimA had also hacked and forced the temporary closure of Adobe’s ConnectUsers.com. He claimed to have found many vulnerabilities in many different websites, and always told the companies concerned. “Google was great in fast reply and patch release,” he said. “Same goes with some others. But for Adobe and Yahoo they were so slow in reply and fix, You know what? Yahoo never reply for my message!”
Tal Be'ery suggested that ViruS_HimA’s primary motivation for the hacks might be kudos rather than gain. It is noticeable, however, that out of the three named companies, only Google has an active bug bounty program. “There is little doubt,” Be'ery told Infosecurity, “that any company with a bug bounty program is likely to be more secure.”