Categories: Hacking

Yahoo Contributors Network affected by Blind & Time Based SQL Injection flaws

Yahoo! Contributors Network was affected by a serious Time based Blind SQL Injection vulnerability which allows the theft of sensitive data.

The Yahoo! Contributors Network allows writers to submit articles, videos, it also allows contributors to receive assignments from Yahoo related various domains like Sports and Finance.

The security researcher Behrouz Sadeghipour reported to that The Yahoo! Contributors Network (contributor.yahoo.com) is vulnerable to a Time based Blind SQL Injection vulnerability, which could be exploited by attackers to steal users and contributors personal data.

According to the expert, he has reported the vulnerability flaw to Yahoo! Security team a few months ago and the company fixed the flaw. Months later Yahoo! announced its decision to shut down ‘Yahoo Contributors Network’ due to its decreasing popularity and removed all its contents online, except some of the “work for hire” content.

As explained by the researcher the vulnerability affect Yahoo! systems and attackers could exploit it to compromise the database by injecting its own SQL commands and to gain access to sensitive and personal information of contributors that are paid by the company. Two following URLs could be used to run the attack against the Yahoo serverr :

http://contributor.yahoo.com/forum/search/?

http://contributor.yahoo.com//library/payments/data-table/?

It’s not the first time that experts discovered a flaw in the Yahoo! Contributors Network, in July 2012 has been hacked by the group of hackers called D33DS Company that stolen and published 453,491 email addresses and passwords in a document named “Owned and Exposed”. The file containing the credentials was later disclosed via BitTorrent and various file lockers on the web. The D33Ds hackers claimed they released the information to show the security leak at Yahoo, and not to realize frauds or for other malicious purposes.

In September 2014, the Egyptian hacker Ebrahim Hegazy has discovered a similar vulnerability in the Yahoo service that allows a Remote Code Execution and privilege escalation.

SQL Injection is considered an effective attacks technique and security experts worldwide sustain that the number of SQL injection attacks continues to grow. According to new study titled “The SQL Injection Threat Study“ published in April 2014 by the The Ponemon Institutenearly 65% of organizations suffered successfully SQL injection attacks in the last twelve months, which were able to evade victims’ defenses.

Do not underestimate the SQL Injection attacks … they could seriously damage your business.

Pierluigi Paganini

(Security Affairs – Yahoo contributor network, SQL injection)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.