Widget was hacked... Proof enclosed.

And for the record, the text following the donor's name was time= which is part of the text file's layout.

The donation feed looks something like this:

count=166691&sum=15814216.0400&donors=Joe|Blow|City|State&time=1197869200

Maybe the donor had an & in their name which should have been encoded. I won't worry about it unless the campaign tells us to worry.
 
TheWhiteRider said:
if they successfully hacked it they would have made much more drastic changes to the amount displayed. IF they were trying to decrease it, they would have REALLY decreased it, and same if they were trying to increase it.
Click to expand...



Your logic is flawed. If someone wanted to do an attack like this, they would have to leave a lot of doubt, otherwise there would be no debate, we would know that an attack had occurred.

It think we have to find out if somebody saw the surge and pulled the plug using the massive activity as a smokescreen. It seems odd the way donations froze and jumped around.
 
idrake said:
Gnerally speaking RP has some of the best Tech people around. There is no way in hell they'd leave a hole for a SQL injection attack. That's just amature shit.

Don't worry people, computers (and users) under stress can do wiered things. I've seen it all before, they can usually be explained and they're usually harmless.
Click to expand...

I agree about the stress issue but mistakes do happen. Just like they forgot to setup reverse DNS for the IP sending out the confirmation email after you donate. Which is why some people are not getting their confirmation emails after donating.
 
Jobarra said:
7 year computer programmer here. ANYWHERE where you submit data in an application has the potential for a SQL injection if you DON'T code against it. You as a Database Admin might also have some power over stopping this, but ultimately it is a proactive solution on either end. YOU may protect your databases from attack, but that does not equate to automatic protection.

That being said, from the snippet shown, I would imagine the scenario already mentioned where the parse character was included in the State field on the submission form was the actual cause.
Click to expand...

4 Year programmer and 10 year web/graphics designer here that agrees with you.
 
the db probably exports an xml file to the widget using some sort of web service. garaunteed there is a layer between the db and the widget. the widget probably never even gets close to the db.

but could someone capture all the names?
 
Jobarra said:
7 year computer programmer here. ANYWHERE where you submit data in an application has the potential for a SQL injection if you DON'T code against it.
Click to expand...

Thank you (13 year programmer myself). People here seem to think a lot of goofy things about how secure their data is because the "professionals" are on the job. The real professionals know that screw ups are very common, especially when under constant, absurd deadlines to get things done. I'm not saying that anything happened here, but you're being naive if you thing there's nothing to worry about.
 
specsaregood said:
I find it highly UNLIKELY that the flash object is going to accept input characters and be tied to the actual donor database, where this would be a risk. If the programmer allowed that, they should be fired.

More likely: The character seperater they use for the "latest donors" input string was screwed up. ie: somebody submitted a name that had the same character as they use to seperate the data.

SQL injection works when you allow user data to be submitted and executed in some way. The flash widget does not take data. It pushes out data.

If anything it, it would have been a sql injection attack via the submission form, not the widget.

Edit: Nothing to worry about here. This is 11 years of programming experience talking.
Click to expand...

What does flash have to do with it? The characters were put into the database that way on the donor page. It was copied to the flash object after the fake hack donation was accepted. Its only incidentally that it was copied to the front page, because whoever did it was a bit of an idiot and didn't mark the "don't show my name on front page". We only hope it didn't work.
 
Rhys said:
the db probably exports an xml file to the widget using some sort of web service. garaunteed there is a layer between the db and the widget. the widget probably never even gets close to the db.

but could someone capture all the names?
Click to expand...

Yes, but instead of cleaning the data first, and rejected the name as being impossible, it obviously accepted the donor so it went into the database too. the fact that it also got copied to the widget is incidental.
 
Maltheus said:
Thank you (13 year programmer myself). People here seem to think a lot of goofy things about how secure their data is because the "professionals" are on the job. The real professionals know that screw ups are very common, especially when under constant, absurd deadlines to get things done. I'm not saying that anything happened here, but you're being naive if you thing there's nothing to worry about.
Click to expand...
Agreed. I've seen some stuff happen because people just assumed that since it was a reliable application, there were no problems. Saw a case of SQL injection in a minor intranet product that allowed someone to login as a superuser. Thank goodness it was behind the firewall and only available to company people. It was fixed rather quickly though once found.
 
I wonder what the gambling sites, who must hate things like this, are going to do. It seems pretty obvious we went well over 6 million, but I wonder if there will be a payout delay.
 
it's back up to 18 million.

maybe we really did make it before 11:59PM, and the servers just locked up?
 
You people are really making me feel great. :rolleyes: Thanks for making me worry about getting robbed now.:D

I don't know crap about this stuff but if it showed up on the widget thing I would think if it was someone hacking something they must have done a sloppy job for it to show up on that where you could see it.....
 
Why would the app even allow any other characters other than letters? I mean some basic input verification code would take care of that.
 
The widget utilizes the following delimeters:

&^|

Maybe they don't strip all these as they should? None of these characters are evil, they are only potential problems because the programmers chose to use them as decimeters for the fund-raising widget, and even then it's only a cosmetic problem. Yes it's possible something malicious happened, but it's also very possible it was a cosmetic quirk.
 
You must log in or register to reply here.

Similar threads

Swordsmyth
Trump's USDA Ends a Biden Administration Injustice
Replies
1
Views
12
acptulsa
acptulsa
Swordsmyth
NSA is urging Apple and Android users to change two specific settings on their phones to prevent possible cyberattacks
Replies
0
Views
79
Swordsmyth
Swordsmyth
T
Trump Campaign Hacked
Replies
9
Views
584
twomp
T
M
Entered my email address and they knew my phone, credit card and street address
2 3
Replies
48
Views
3K
acptulsa
acptulsa
PAF
REAL ID: Phony Security, Real Authoritarianism
Replies
0
Views
21
PAF
PAF
Back
Top