Widget was hacked... Proof enclosed.

[idrake]

Gnerally speaking RP has some of the best Tech people around. There is no way in hell they'd leave a hole for a SQL injection attack. That's just amature shit.

Don't worry people, computers (and users) under stress can do wiered things. I've seen it all before, they can usually be explained and they're usually harmless.

 

[devil21]

I dont know one way or the other but Im tempted to think it was just a technical error caused by the site getting slammed. RPforums got battered, RP2008 got battered, the widget got battered, etc. As long as there wasnt a security breach it doesnt matter anyway since the numbers will still come out correctly after it's totaled up.

 

[steve005]

holy shit!

There are hackers who don't support Ron Paul?!

hopefully the ones supporting RP aren't hacking at all, its the ones against him and freedom, they already got some of his top videos booted off youtube

 

[greensheen]

Seems to me there were some folks who had a HUGE incentive for the counter not to reach 6 million on 12/16 Eastern time. There's a possible motive. This needs to be nailed if possible since big bucks are in play.

 

[specsaregood]

//

 

[Jive Dadson]

I saw the numbers go down by 40 or 50K twice. My mom had to try three times to contribute late in the evening. I suspect a lot of contributions were lost. The rate fell during the last hour when the server kept getting clogged or clobbered.

 

[Scaryclouds]

I seriously doubt a hacker could inject false code to cause the widget/server to crash. Considering the amount of money on hand and how important the website is to the campaign considerable safe guards would of been taken to ensure a user could not inject code into the donation fields. Not to mention preventing such attacks are relatively easy.

The site crashed because of over use not some hacker.

 

[defcreative]

You can't inject a SQL "attack" from the donation page, completely false. Moreso you couldn't inject a SQL "attack" via a Flash widget. I've worked as a database administrator 2 out of my short 21 years on this Earth

Less panic more celebration!!!

I know you cant SQL inject a flash app like that, but you could possibly inject a negative value into the database for the widget.

Think about it, doesn't the submission page use an AJAX method for transferring variables? I think you should be able to inject into that if you were extremely lucky/clever.

 

[ionlyknowy]

yeah I had just donated again, and when I came back to the home page the total had changed from 17980000 to 17920000. Then I waited for my name to be displayed on the home screen, and noticed that after a few refreshes of the total the widget stayed at 17,920,000. I thought to myself, "Why arent people donating"? Has time run out already? Then I looked at my clock and it was about 11:53pm.

Something did happen, just not sure what.

I suspect that the gambling websites or one of the people that placed a bet against us reaching $6million was/is trying to mess with the final total.

 

[EvilEngineer]

I find it highly UNLIKELY that the flash object is going to accept input characters and be tied to the actual donor database, where this would be a risk. If the programmer allowed that, they should be fired.

More likely: The character seperater they use for the "latest donors" input string was screwed up. ie: somebody submitted a name that had the same character as they use to seperate the data.

SQL injection works when you allow user data to be submitted and executed in some way. The flash widget does not take data. It pushes out data.

If anything it, it would have been a sql injection attack via the submission form, not the widget.

The flash widget is the endpoint. The actual injection would be on the SSL server end and the donation page and the language used to parse it. The widget would just catch the remnants of the statements, as it is simply sent a character string to parse to add to the "recent donors"

 

[mesler]

The flash widget parses a read only text feed on a campaign server. It was likely a parsing error on the widget. Could also be feed acting quirky under load.

 

[jcims]

Relax folks, it looks like the flash widget just didn't properly parse a server response:

This is the URL that the widget grabs every 30 seconds;

http://www.ronpaul2008.com/webservices/REST/donation.stats?format=nvp&time=1197868877026

This is a typical response to that request (click it yourself to see)

current_quarter_donor_count=118611&current_week_new_donor_count=25160&current_quarter_online_sum=15808292.28&current_quarter_online_count=166607&current_week_online_sum=6030458.44&current_week_online_count=58864&today_online_sum=1625233.11&today_online_count=19200&recent_donors=Christopher%7CPeppas%7CRiverside%7CCA%5EKyle%7CBrown%7CValencia%7CCA%5ETaiyo%7CNakata%7CSanta+Cruz%7CCA%5EFrancis%7CBeaulieu%7CGermantown%7CTN%5EManuel%7CCanizares%7CSanta+Monica%7CCA%5EMark%7CUnis%7CLacona%7CNY%5EEric%7CBenavides%7CAllen%7CTX%5EAndrew%7CFelt%7CSun+Prairie%7CWI%5ESpencer%7CFogleman%7CLake+Elsinore%7CCA%5EAmelia%7CCrabtree%7CWheaton%7CIL%5EBill%7CCotton%7CBend%7COR%5ERobert%7CLange%7CPhiladelphia%7CPA%5EGary%7CHunt%7CBrigham+City%7CUT%5EJennifer%7CSchulz%7CLincolnton%7CNC%5EAlexander%7CLaubin%7CSleepy+Hollow%7CNY%5EC+Stedman%7CGarber%7CPhiladelphia%7CPA%5EStephen%7CCooney%7CWoodstock%7CGA%5EKathryn%7CBolton%7CTraverse+City%7CMI%5ECourtney%7CAllen%7CKent%7CWA%5ECalvin%7CMccaskill%7CCorcoran%7CMN&time=1197868962&current_quarter_offline_sum=2143116.46&current_quarter_offline_count=34613&current_week_offline_sum=168082.28&current_week_offline_count=2352

It's possible that someone jammed something into the address field that caused the widget to go bonkers, but it seems more likely that it was just a bug.

 

[thehyperaspist]

Injection Attack

It could have been hackers or it could have just been buggy. Who knows.

It could be a crackhead that got hold of the wrong stuff.

 

[john_anderson_ii]

A hacker cannot get the CC's unless it's an inside job. Since the campaign doesn't re-authorize the credit card, or re-bill it like a subscription, then they probably shouldn't even be storing the credit card number. They should only be keeping the authorization code, and if they need the number, then they contact their processor with the auth code and get the number.

If they are storing the credit cards numbers for no good reason, the card numbers would have to be encrypted. It's mandatory and if you fail a processor audit where this is concerned, your processor stops accepting your transactions. So a hacker would have to get the encrypted CCs as well as the encryption key. The key is likely stored in a non-web accessible back-end system, and is read by middleware before the insertion takes place.

Credit card numbers are well secured, or no CC processors will do business with you.

 

[Scaryclouds]

I know, but the question that was asked is what "could" it do. That is sadly the truth... injection attacks can compromise servers, MANY e-businesses learned this the hard way.

They can compromise them, but not cause them to crash. No injection could ever cause the site to go offline the way it did. If injection did cause the site to crash we would be getting php or asp errors (I don't know what the site is built on), not "can not connect to the server" errors.

 

[Fox McCloud]

so, did Ron reach $18 million tonight, or not? Is the current total accurate, or is the former total accurate?

Everyones yammering on and on about what happened, but few questions are being answered here....

 

[dircha]

I seriously doubt a hacker could inject false code to cause the widget/server to crash. Considering the amount of money on hand and how important the website is to the campaign considerable safe guards would of been taken to ensure a user could not inject code into the donation fields. Not to mention preventing such attacks are relatively easy.

The site crashed because of over use not some hacker.

Sound like some very optimistic assumptions.

I don't think it's at all surprising that someone would have been trying to compromise - or even did compromise - the servers.

There is a LOT of anti-Ron Paul hatred out there on the internet, from a number of sides, to say nothing of vested interests.

And the paulpledge.com operators were on Grassroots Central earlier this afternoon reporting that their site had been brought down by a botnet DDOS attack originating from Asia.

 

[Jobarra]

You can't inject a SQL "attack" from the donation page, completely false. Moreso you couldn't inject a SQL "attack" via a Flash widget. I've worked as a database administrator 2 out of my short 21 years on this Earth

Less panic more celebration!!!

7 year computer programmer here. ANYWHERE where you submit data in an application has the potential for a SQL injection if you DON'T code against it. You as a Database Admin might also have some power over stopping this, but ultimately it is a proactive solution on either end. YOU may protect your databases from attack, but that does not equate to automatic protection.

That being said, from the snippet shown, I would imagine the scenario already mentioned where the parse character was included in the State field on the submission form was the actual cause.

 

[RobS]

Even if there was a successful SQL injection attack, which I doubt, I'm sure the database is encrypted so any data gained would be worthless.

Your credit card info is safe : )

 

[Paul.Bearer.of.Injustice]

Downgrading to GeekCON 2