Sunday, September 17, 2006

Another week another few web app hacks

It's hard to tell if more hacks are occuring at the web application layer, if they are being reported more often, or organizations are simply required to disclose when they occur. Whatever the case happens to be, interest in web application security by both the good guys and the bad guys is at an all time high. I noticed a couple of recent headlines where the incident looked to me like it was due to insecure web applications.

Second Life, a 3-D virtual world entirely built and owned by its residents, had some data of its 650,000 user-base compromised.

"Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information. No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised."

More headlines:
Urgent Security Announcement
Metaverse breached: Second Life customer database hacked
Second Life suffers security breach

Controversial audio tapes by Arnold Schwarzenegger uncovered on public web server.

"The Democratic rival to California Gov. Arnold Schwarzenegger acknowledged Tuesday that his aides were responsible for obtaining a controversial audio file in a move that has led to allegations of Web site hacking."

More headlines:
Rival behind Schwarzenegger Web flap
Radio Station Disputes Gov.'s Claim Speech Website Was Hacked
Schwarzenegger Hacking Claims Crumbling Like A Bunch Of Girlie Men
In A Politically Sticky Situation? Blame A Hacker!

Nikon Magazine website compromised

“During a nine-hour period Tuesday, nine new Nikon World subscribers were able to view personal information of 3,235 individuals who had registered for the magazine, going back to Jan. 1. The information that was accessible included subscribers' addresses, contact details and credit card information.”

XSS strikes again, this time faking a new Google service

“Except the Gmail plus service is actually fake and been put together by a persitent code insertion flaw (Not just XSS but any content) that allows users to host a customised search service on the Google domain.”

More headlines:
Google plugs phishing hole
What's Wrong With Google?
Gmail Plus or Google Danger?
Exploiting Google for Phishing
Phising Exploit Discovered in ‘Google Public Search Service’

No comments: