Hackers use blind SQL injection attack to crack Oracle-Sun, MySQL.com

The hackers used a blind SQL injection attack to hack into the website and disclosed details of the breach on The Full Disclosure Mailing List. The two hackers said they breached various databases discovering the password hashes for various usernames associated with the website.
Oracle Corp., which acquired Sun Microsystems in 2009 and included the newly acquired MySQL database division, has not acknowledged the breach. Website vulnerabilities that can be used in a SQL injection attack are common on websites. The vulnerabilities enable attackers to perform a database query to request some action to be performed on a database. If the database returns an error, savvy hackers can use the information to gain wider access to the server containing the underlying website data.
In the data shared by the hackers, some of the password hashes were cracked to reveal complete login details for accounts associated with mySQL.com, including the WordPress account login details for Robin Schumacher, the former director of product management, and Kaj Arnö, former vice president of community relations.
Some of the passwords revealed simple phrases. Schumacher set his password as a simple 4-digit number—with three repeating digits. The hackers also posted several other database tables without the password hashes.
Information relating to Sun.com was also posted. The data consists of a series of columns, tables and databases derived from an SQL injection into Sun's websites. This dump is seemingly devoid of passwords, but it does reveal several company email addresses.
While embarrassing, the flaw is not in the MySQL database management system software, but rather is a website coding vulnerability, said Chester Wisniewski, a senior security advisor, writing in the Sophos blog, Naked Security. Wisniewski said the MySQL website is also subject to ancross-site scripting (XSS) vulnerability that was announced in January 2011 and has yet to be remedied. "Auditing your websites for SQL injection is an essential practice, as well as using secure passwords," Wisniewski wrote. "Either can lead you down a road that ends in tears."


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...