What LinkedIn, Last Fm, eHarmony Hacking Tell Us.

If you are following what’s happening on the internet recently you might have seen that LinkedIn, Last Fm, and online dating website eHarmony were hacked and millions of passwords were posted online.

Last Fm Hack : nakedsecurity.sophos.com/2012/06/07/last-fm-password

LinkedIn Hack : nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now

eHarmony Hack : nakedsecurity.sophos.com/2012/06/07/eharmony-passwords-stolen

I’m not going to talk about the hacking incidents, you can get all the information you need from the above links. I’m going to talk more about what we should learn from that.

These events post questions about the security of the websites where people give their personal information, pictures and messages. People really need to think twice before giving all of their personal information to websites, posting their pictures online etc. Because, as these hacking incidents show even the best of the websites are vulnerable and you can’t be 100% sure that your information will be secure forever.

Some might argue that the cloud is more secure than having data on your computer, however if you keep your systems up to date, and your data encrypted I think your computer is pretty safer than the cloud, even the most secure method of two factor authentication was bypassed because of a security flaw in Google to gain access to the emails of CloudFlare CEO and gaining access to CloudFlare user data and changing the DNS information of 4Chan.

If you look at the passwords of LinkedIn, (not sure about the passwords of Last Fm and eHarmony) you can see how insecure the biggest websites on the internet can be.

If you look at LinkedIn, the passwords they stored were not salted. Salting is adding a random string to the password before it’s being hashed, so even the same password will have a different hash due to the random string. As a result of LinkedIn not salting their passwords 60% of passwords that were released online were cracked within 24 hours.

So if you have a website that stores passwords it’s a must to salt the passwords before hashing and use a strong hashing method like SHA-1 because MD-5 is now considered to be outdated.

If you are a LinkedIn, Last Fm or an eHarmony user :

  • You need to change your passwords quickly
  • If you are using the same password for other accounts you need to change them too.
  • Make sure you use two factor authentication if it is available. Two factor authentication is available on Facebook, Google etc.



MyDeal.lk Reflected Cross Site Scripting Vulnerability.

Sri Lankan popular daily deal website MyDeal.LK is having a cross site scripting vulnerability. Because of the vulnerability an attacker can craft a URL that contains a malicious script to be executed on a unsuspecting victim who thinks he is visiting MyDeal.LK.

The vulnerability exists in the “deals.php?id=[id]” parameter. Where an attacker can inject a malicious script like this :

http://www.mydeal.lk/deals.php?id=%5Bid%5D”><script>EVIL SCRIPT HERE</script>

The attacker can replace the EVIL SCRIPT HERE with a malicious script that’ll look for an exploit in the victims computer that can be used to gain access to the computer, it can be used to give a drive by download to the victim or the attacker can steal information like session cookies of the admins that can be used to gain access to the website.

I’ve reported the vulnerability to MyDeal.LK. Hope they will fix the vulnerability soon. The best way to keep yourself protected is not to click on links that are from suspicious sources.

GitHub Post Here