An SQL injection flaw has been detected on the Yahoo! website.
Detected as a Blind SQLi problem, Imperva said that the vulnerabiliy was on the Yahoo job section, and could result in the information of large numbers of people being compromised.
Amichai Shulman, CTO at Imperva, said: “Data like this can be extremely useful as far as identity thieves are concerned. This is exactly the sort of data that is traded on so-called carder forums.”
Imperva claimed that forums are causing a problem for law enforcement, because when one forum is closed down another opens, and they act as an auction/exchange for a person's data.
Shulman said that some hackers are selling the ‘fish' - the stolen data - while others provide the ‘fishing polls' – the exploits that can be used to extract the information.
“This is why it's important to warn about potential SQL injection-hacked problems like this. If the potential problem is allowed to continue for any length of time, then the risk of a hacker attack rises as a result,” said Shulman.
“SQL injection is a major thorn in the side for the website hosting community. It can be tackled with careful research and high levels of security. Unfortunately, some site operators overlook this simple fact at high risk.”
See original article on scmagazineuk.com
