RIAA Site Cracked By SQL Injection And XSS

Author
Aron Schatz
Posted
January 21, 2008
Views
1091
Tags News

Page All:

Page 1
Nice job RIAA. I guess you're busy with suing all your customers. Didn't you notice that hiring shoddy programmers lead to bad code?

Quote

It started out on the social news website Reddit, where a link to a really slow SQL query was posted. While the Reddit users were trying to kill the RIAA server, someone allegedly decided to up the ante and wipe the site's entire database. The comments on Reddit are only speculation so far. Based on the username, which was apparently "webReadOnly", it might not have been setup correctly, or someone could have found another way to delete the content form the site. Another possibility is that the website has some sort of database flood protection that disables new connections, or perhaps the RIAA themselves removed the content temporarily. The latter seems unlikely, as a better solution would be to take it entirely offline to fix the bigger problem. While they could fix a small vulnerability like this in a matter of seconds, the chances are it’s not an isolated problem. As pointed out by Haywire, playing around with the urls a bit can return some funny results. It is pretty easy to make the RIAA link to The Pirate Bay for example. For now it sure does look like all the content has been wiped from the RIAA homepage. Let’s hope they have backups, or not.

Title

Medium Image View Large