Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday June 21 2020, @02:40AM   Printer-friendly
from the with-"Friends"-like-these... dept.

Arthur T Knackerbracket has found the following story:

We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--

Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI[*] service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson.

[...] Modern security and privacy tools like Tor and the Tails distribution are amazing and potentially extremely useful. Journalists, protesters, and even whistleblowers find legitimate use for the tool set. However, Every once in a while a story forces us to look straight into the ugly face of the dark side of the net. In this case, it’s a predator that used Tor to stalk and harass teenage girls on Facebook, and extort compromising photographs out of them.

The reason we’re talking about this case is that Facebook went to the extreme of hiring a security firm to develop an exploit specifically for their anonymous stalker. They found a zero-day in the Tails video player, and developed a full de-anonymyzing attack. Facebook then handed the attack over to the FBI, who used it to finally catch Buster Hernandez.

It’s still unknown what the zero-day exploit was precisely, as disclosure never happened. Apparently the flaw was eventually removed from Tails through the process of normal updates, and never publicly identified as a vulnerability. It’s not entirely clear how long the FBI was in possession of the tool before the flaw was patched. It’s reasonable to suspect that it was used in other cases, though it’s not likely we’ll find out any time soon.

Was Facebook right to go to such extreme lengths to help capture a criminal who was abusing their platform?

[*] GLPI = GLPI:

GLPI (acronym: French: Gestionnaire Libre de Parc Informatique, or "Open Source IT Equipment Manager" in English)[2] is an open source IT Asset Management, issue tracking system and service desk system. This software is written in PHP and distributed under the GNU General Public License.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by stormreaver on Sunday June 21 2020, @03:23PM (3 children)

    by stormreaver (5101) on Sunday June 21 2020, @03:23PM (#1010667)

    It still shocks me that, to this day, some people submit ess queue ell to the database inline rather than through prepared statements. I can understand how people who submit SEQUEL to an ess queue ell database probably lock the brain capacity to tell the difference, but they should have been fired long ago.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by stormreaver on Sunday June 21 2020, @04:16PM

    by stormreaver (5101) on Sunday June 21 2020, @04:16PM (#1010688)

    Dammit! A perfectly good ribbing ruined by a typo!

  • (Score: 0) by Anonymous Coward on Sunday June 21 2020, @07:23PM

    by Anonymous Coward on Sunday June 21 2020, @07:23PM (#1010747)

    That's what a good 90 % of the tutorials that come up in a web search have people do, and that's the code that ends up copy/pasted into production.

  • (Score: 0) by Anonymous Coward on Thursday June 25 2020, @12:48AM

    by Anonymous Coward on Thursday June 25 2020, @12:48AM (#1012226)

    The actual benefit comes from parameterized queries, not from the prepared statements (and no, they are not identical but often used together). Even if your language, binding, or database doesn't support or expose prepared statements, they should support parameterized queries. As you said, string interpolation as an alternative is just wrong.