New Web Hacking Incidents at WHID
Gearing towards WHID 2007 annual report, 2007 I came across many new
interesting web hacking incidents that I missed this year and added them to
the database (more details at WHID site at
http://www.webappsec.org/projects/whid):
So what's new at WHID this week?
+ A lot of problems for web hosting companies: In one of them a subsidiary
of British Telecom suffered a major intrusion where someone stole all its
clients e-mails, used it for spam and planted malware on their sites. All
due to a programming mistake of one their programmers: WHID 2007-75:
PlusNet blames itself for webmail spamfest
(http://www.webappsec.org/projects/whid/byid_id_2007-75.shtml). Other
hosting incidents: WHID 2007-74: Web host breach may have exposed passwords
for 6,000 clients, WHID 2007-77: HostGator: cPanel Security Hole Exploited
in Mass Hack, WHID 2007-76: A large web hosting firm inflicted by mass
malware installation.
+ The first CSRF entry in WHID, and a really bad one: CSRF in g-mail cost
someone his very successful domain, stolen by a blackmailer (WHID 2007-72:
Gmail CSRF exploited to hijack a domain
(http://www.webappsec.org/projects/whid/byid_id_2007-72.shtml)
+ Our first story from Brazil. It is not new, but the exposure to the
project led someone from Brazil to send it to me. It shows how many stories
we do not discover due to language barrier: WHID 2007-78: A Brazilian
banking site allows users to views receipts intended for others
(http://www.webappsec.org/projects/whid/byid_id_2007-78.shtml)
+ Among the newly defaced: MSNBC in Turkey (WHID 2007-81) & Vodafone in
India (WHID 2007-80).
If you have more stories - e-mail me!
~ Ofer
Ofer Shezaf
Work: ofers@xxxxxxxxxx, +972-9-9560036 #212
Personal: ofer@xxxxxxxxxx, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project