ConnectU Hack Reveals “Most Basic Security Flaws Possible”

by Maureen O'Connor | August 21, 2007 at 8:17 pm

ConnectU Hack Reveals "Most Basic Security Flaws Possible"Last week Facebook got hacked, and nerds everywhere luxuriated in the "elegance" of the reigning king of college networking's code.  This week ConnectU got hacked.  And elegant it wasn't.  Reluctant hacker Brendan O'Connor (full disclosure: he is Guest Editor Maureen's brother, and a Stanford grad, which is so gauche, but bear with us) stumbled into "one of the most basic security flaws possible in a website," enabling him to browse ConnectU's databases -- including passwords and "private" material.

Having just read IvyGate's Facebook v. ConnectU coverage, Brendan decided to take a spin on the latter website by typing his last name -- O'Connor -- into ConnectU's search engine.  Since apostrophes are part of SQL programming language, the inclusion of the unexpected keystroke let O'Connor break out of the last_name field and "inject arbitrary commands" straight into ConnectU's inner machinery.  This is the hack known as the SQL injection.  He explains

While Facebook recently had a minor security-related glitch, ConnectU's flaw is far more serious. A malicious attacker could use this to easily break into user accounts, damage or delete internal databases, or probably much worse. ... This bug is one of the most elementary security bugs that can exist in a PHP website. It's a clear sign of a shoddy, amateurish effort; my coworker Dave Fayram, a web engineering expert, describes it as "shameful."

And what did our malicious attacker do with his injection?  Discovered that 192 people use the password "password," and then alerted ConnectU to the breach so they'd have time to fix it before he posted it on his blog.  Blame it on Stanford's IHUM requirement; the guy has an annoyingly strong sense of morality. --MAUREEN O'CONNOR

Comments 3 Comments | | Print This Post Print This Post
Tags Read more: , ,

3 Responses to “ConnectU Hack Reveals “Most Basic Security Flaws Possible””

  1. MITbitch Says:
    August 21st, 2007 at 10:15 pm

    password=password, lol Harvard

  2. Dart Says:
    August 21st, 2007 at 10:51 pm

    “…an annoyingly strong sense morality.” um…”of”? Nice sleuthing!!

  3. derekandchrissy Says:
    August 23rd, 2007 at 12:14 am

    Derek: Frankly, I just like that you used the word ‘gauche’
    Chrissy: Frankly, I just like Brendan O’Connor

Leave a Reply

Login | Register | Leave Anonymous Comment