VyRT Hacking (Part I): How a website accidentally give out your information

Recently news came that the official community website of the band 30 Seconds to Mars was hacked and information leaked. No public information is available yet, but I think I have a theory how this hacking worked, and how you Echelons can minimize damage.

This post is going to be a little bit hard on tech bits, so proceed with care. If you are greeted with some strange concept, Wikipedia will be your friend.

How Websites Work

This hack is conducted leveraging how all community websites, if not all websites, work.

All websites run on servers, powerful and reliable computers with a decent Internet connection, and running specialized software that is designed to be operated by you in your browser. To put it simply, when you open a web page, a program gets started on the server and generates the page you see, and send it to you.

All programs are written by humans, and humans are never immune to mistakes. Sometimes a programmer overlooked a line of code and a bug, or in this kind of situation a vulnerability, is slipped into it. This hack leveraged a common vulnerability in how parts of the specialized software talk to each other, specifically how the Web scripts talked to the database management system. This kind of attack is called SQL injection.

SQL Injection

Websites needs a more organized way to store its data than what you do with your files. They use a database management system (DBMS) for this, and the most common type of DBMS uses SQL, or Structured Query Language, to talk with other software on the server.

In order for the website to present exactly what you have asked for to you, it puts your request into the SQL statements according to its templates, and interrogate the DBMS with it for information. Usually this is OK, but things can go awkward if not done properly.

Let’s say you are searching for a video on a website. The template can be:

SELECT * FROM video WHERE mane = "$query";

If you are looking for City of Angels. The website program asks the DBMS:

SELECT * FROM video WHERE name = "City of Angels";

And the DBMS dutifully searches its storages for video named City of Angels. However when a hacker is trying his hands, he will try search this:

City of Angels"; SELECT * FROM users WHERE "haxx"="haxx

And if the website programmer was careless when doing his job, it can result in this being sent to the DBMS:

SELECT * FROM video WHERE name = "City of Angels"; SELECT * FROM users WHERE "haxx"="haxx";

DBMS, being a humble program, believes that it is indeed being asked with these questions, and honestly returns not only video about City of Angels, but also information about everyone that have an account on it.

The Hack

The hacker, by injecting SQL queries like this, can download (or even modify) data on the server at his will. He will be able to get any information stored in the DBMS as is. If the information in question is stored in plain, like video links, he can get it outright. If the data is encrypted, like passwords I assumed, he would have a harder day figuring out what it is, but if he is determined well-financed, or if he have a high-profile target like credit card information, for sure he can.

Just a side note, in Chinese, we call this “yanking the pants off a website”, as it exposes its raw data to the hackers.

Leave a Reply