Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Bugtraq: Bugtraq

New Web Hacking Incidents at WHID

 

 

Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded


ofers at Breach

Jan 7, 2008, 6:09 AM

Post #1 of 1 (603 views)
Permalink
New Web Hacking Incidents at WHID

Gearing towards WHID 2007 annual report, 2007 I came across many new
interesting web hacking incidents that I missed this year and added them to
the database (more details at WHID site at
http://www.webappsec.org/projects/whid):

So what's new at WHID this week?

+ A lot of problems for web hosting companies: In one of them a subsidiary
of British Telecom suffered a major intrusion where someone stole all its
clients e-mails, used it for spam and planted malware on their sites. All
due to a programming mistake of one their programmers: WHID 2007-75:
PlusNet blames itself for webmail spamfest
(http://www.webappsec.org/projects/whid/byid_id_2007-75.shtml). Other
hosting incidents: WHID 2007-74: Web host breach may have exposed passwords
for 6,000 clients, WHID 2007-77: HostGator: cPanel Security Hole Exploited
in Mass Hack, WHID 2007-76: A large web hosting firm inflicted by mass
malware installation.

+ The first CSRF entry in WHID, and a really bad one: CSRF in g-mail cost
someone his very successful domain, stolen by a blackmailer (WHID 2007-72:
Gmail CSRF exploited to hijack a domain
(http://www.webappsec.org/projects/whid/byid_id_2007-72.shtml)

+ Our first story from Brazil. It is not new, but the exposure to the
project led someone from Brazil to send it to me. It shows how many stories
we do not discover due to language barrier: WHID 2007-78: A Brazilian
banking site allows users to views receipts intended for others
(http://www.webappsec.org/projects/whid/byid_id_2007-78.shtml)

+ Among the newly defaced: MSNBC in Turkey (WHID 2007-81) & Vodafone in
India (WHID 2007-80).

If you have more stories - e-mail me!

~ Ofer


Ofer Shezaf
Work: ofers [at] breach, +972-9-9560036 #212
Personal: ofer [at] shezaf, +972-54-4431119

VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project

Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.