According to Amichai Shulman, Imperva's CTO, Rockyou.com is not just any software site. Since its creation in 2006, it's become the hub for many social networking sites such as Bebo, Facebook and Myspace, to mention but a few.
"The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database - and since the user names and passwords are by default the same as the users webmail account - such as Hotmail, Yahoo or Gmail - this is a major lapse in security", he said.
"The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular Web email service", he added.
"The users are young and security is not top of mind, but nonetheless companies need to keep them protected and ensure their details are safe. With the popularity of web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security."
Imperva claimed that an attacker can use the social networking credentials obtained through the SQL injection flaw to perform any of the following actions:
- Extract private information from the inbox: credit card numbers, confidential business information, passwords to another application such as bank application embarrassing pictures etc.
- Identity theft - the attacker can send mail to the victims entire contact list on behalf of the victim.
- Harvest the contacts info for spam - if each account has 10 unique contacts then the spammer will have 300 million addresses to spam.
"While individual users are urged to show prudence when surfing the web and especially providing account credentials to applications, it is the responsibility of application owners to protect the information trusted to them by users", said Shulman.
"Web development in general can be rushed in order to get a service to market quicker. However, by rushing the time to deploy, companies may tend to overlook security", he added.
Shulman went on to say that Imperva has notified the social networkin site operators of the security problem, who re-acted quickly and fixed the issue over the weekend.
Unfortunately, he said, some social networking accounts had already been compromised before the SQL injection vulnerability was fixed.
"All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk", he added.