RIAA website hacked

Date January 20, 2008

riaa When you are as disliked as the RIAA (or MPAA for that matter) by the tech community, you had better make sure your site is bulletproof as it’s going to have a huge target painted on it.  So, to hear that the RIAA website was hacked this weekend isn’t really a surprise (the image shows a previous time they were subtly defaced, and one that I’ve used a few times in presentations I’ve done).  What is a surprise however is that it’s a very simple SQL injection.

http://riaa.com/news_room.php?resultpage=9&news_year_filter=2007%20UNION%20ALL%20SELECT%20BENCHMARK(100000000,MD5(’asdf’)),NULL,NULL,NULL,NULL%20–

What this query does (the malicious data I’ve colored in red) is to force the back-end database server to perform a MD5 hash of “asdf” 100 million times.  This is obviously a very slow operation, and holds up the database from performing other operations, unless of course it times out depending on it’s settings.

Some commenters are claiming that the site was wiped, by modifying the malicious data to perform a DELETE or DROP operation on the database.  Although this is possible, I’m not 100% convinced - the original “hack” could very well have the same observable effects (no content on the site) because the connection times out and the front-end code just doesn’t have anything to display.

I’m always looking out for things to learn in these cases, and unfortunately it’s nothing that people in the webappsec world don’t already know.  Firstly, validation, validation, validation!  The news_year_filter parameter should only have been expecting a number (and one within a “reasonable” range), so if that was done correctly, it would have shut this attack vector.  Several other people have used the vector to show other vulnerabilities like XSS, so clearly there’s some sloppy programming going on there.  Second, is that any long-running operation on the server is an opening for attack.  In this case the operation that took the time wasn’t native and was injected into a query.  However, that needn’t necessarily be so, so identify operations, queries, pages, that take significant time and gage the security risk (e.g. do you have to be authenticated to get to them, GET vs POST, user interaction required, potential for “scripting”) and mitigation’s (e.g. is there a “time-out”, are results cached and reused).  Finally, it is doubly important that the privileges on the database are restricted - if, as best practices dictate, the RIAA website connection to the database was restricted to read-only, at least all their data would be preserved.

Perhaps the blame can’t be entirely put on the RIAA, as there’s some suggestions and good evidence that the vulnerability might have been part of the content management system they are using.  Although there’s nothing wrong with PHP/MySql - there are lots of sites (and projects) out there using these technologies and are secure - it seems a bit strange that such an organization would put so much faith in this “free” software (the CMS included, if indeed the observation is correct) when they are such a target.  It’s just too easy to shoot yourself in the foot.

I guess the first commenter on reddit said it best - “guess that’s the kind of thing you get when you hire more lawyers than programmers”. :D

Category Posted in Security

4 Responses to “RIAA website hacked”

  1. January 20th, 2008 at 11:46 pm

    RIAA website hacked | MySQL Security said:

    [...] more from the original source: RIAA website hacked exploit securityexploit securityRelated Posts Sql server hosting - Build Virtual Appliances: SQL [...]

  2. January 21st, 2008 at 3:46 pm

    RIAA website hacked said:

    [...] RIAA website hacked …have the same observable effects (no content on … an organization would put so much faith in this … such a target.  It’s just too easy [...]

  3. January 21st, 2008 at 7:12 pm

    worldplugin said:

    I feel most heavily web engaged business should be thanking their stars that no has really unloaded a truly destructive payload on them. I find so many unbelievable vulnerabilities from just a browser perspective it continues to astonish me. Until the SDL matures to include security at its core, this will continue to be a game of risk assessment where if the cost to make reparations from vulnerability exploitations is less than the cost to fix the core errors, they will never be fixed. Do you really think that $40 million made a dent in TJX? Not likely… Then I look at financial institution’s, you know the ones with assets in the trillions of dollars, what could you imagine their projected “shrink” would be? $1 billion… more? Someone is really going to have to hammer them in a big way to make the point clear. But hey… what do I know…..

  4. January 22nd, 2008 at 5:42 pm

    Ronald van den Heetkamp said:

    benchmarking only stalls the persons browser, since it’s run in the SQL runtime layer. It’s up to Apache to determine the (multiple) connection(s) in memory, usually this won’t affect the the process tree in MySQL, and certainly it won’t lead to a denial of service.


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>