Mailing List Archive

>>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.

Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ?


Sincerely,
Aras "Russ" Memisyazici
IT Specialist II
Virginia Tech -- OIS


-----Original Message-----
From: "Ofer Shezaf" <ofers@Breach.com>
To: "Bugtraq" <bugtraq@securityfocus.com>
Sent: 12/27/07 11:01 AM
Subject: Latest round of web hacking incidents for 2007 & Project news


The last month was very active in the web application security field and at
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.

We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.

So if you know of a web hacking incident that you feel should be in the
database and is not (or you could not find it), send me an e-mail at ofer at
shezaf.com, so it will be there in time for the annual report.

For more information and complete details of each incident refer to the Web
Hacking Incidents Database at http://www.webappsec.org/projects/whid.

Ofer Shezaf
Work: offer at breach.com, +972-9-9560036 #212
Personal: ofer at shezaf.com, +972-54-4431119

VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project


WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007

Classifications:

* Attack Method: Credential/Session Prediction
* Country: USA
* Outcome: Identity Theft
* Vertical: Government

The Secret Service has arrested at least 6 people in an investigation that
involves information theft at an Ohio court web site, which is actively used
for identity theft. At least one known identity theft case resulted in
$40,000 loss to the victim.


WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
=========================================================================
Reported: 20 December 2007, Occurred: 20 December 2007

Classifications:

* Attack Method: SQL Injection
* Country: USA
* Outcome: Defacement
* Vertical: Government

The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your
soul" on the Web site of the police department in Tucson, Arizona. Only
unlike regular defacement, this time it is not the front page but rather the
news section that was modified.


WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
subsidiary
=========================================================================
Reported: 19 December 2007, Occurred: 30 September 2007

Classifications:

* Attack Method: Unknown
* Country: Germany
* Outcome: Leakage of Information
* Vertical: e-commerce

An unidentified group had stolen credit card numbers and billing addresses
of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of
Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
from the Kartenhaus.de web site between October 24, 2006 and September 30,
2007 were affected.


WHID 2007-60: The blog of a Cambridge University security team hacked
=====================================================================
Reported: 19 December 2007, Occurred: 27 October 2007

Classifications:

* Attack Method: Known Vulnerability
* Attack Method: Insufficient Authentication
* Attack Method: SQL Injection
* Country: UK
* Outcome: Downtime
* Software: WordPress
* Vertical: Education

I am sure that the guys at Light Blue Touchpaper have the expertise to
protect their WordPress installation, but they don't have the time. They
made the compromise between ease of management of their web site and its
security.
Apart from, or actually because of the fact that the victims are security
experts, this story is noteworthy due to two additional twists in the plot:

* Zero day exploit in the wild - the attacker penetrated twice, once
using a known SQL injection vulnerability, but the second time using a yet
unknown vulnerability in WordPress, which was reverse engineered and
published for the first time by the people at Light Blue Touchpaper.
* The researchers found that they can use Google to retrieve the hashed
password of the hacker. Google has become so big that it actually allows
efficient encrypted passwords lookup.


WHID 2007-62: A security flaw in Passport Canada's website
==========================================================
Reported: 19 December 2007, Occurred: 01 December 2007

Classifications:

* Attack Method: Credential/Session Prediction
* Country: Canada
* Outcome: Disclosure Only
* Vertical: Government

The Web site of the Canadian passports authority enables users to access
others' record by modifying a value of a parameter in the URI.


WHID 2007-64: Information about Duke's Students and Applicants Stolen
=====================================================================
Reported: 19 December 2007, Occurred: 01 December 2007

Classifications:

* Attack Method: Unknown
* Country: USA
* Outcome: Leakage of Information
* Vertical: Education

The personal data of nearly 1,400 prospective Duke Law School students may
have been stolen by a hacker from two separate databases, one including the
prospective students' data and another filled with requests for information
about the school.


WHID 2007-65: Facebook suing a porn site over automated access
==============================================================
Reported: 19 December 2007, Occurred: 28 June 2007

Classifications:

* Attack Method: Insufficient Anti-automation
* Country: USA
* Country: Canada
* Vertical: Information Services

Use of robots and automated software against a web site, as long as it is
not done in order to break into the site, falls into a grey area. While hard
to classify as an unlawful act, it is usually harmful to the site owner and
possibly to the site users. Apart from using valuable resources, such an
automated access may breach the site's usage license of public information
and might also indicate unlawful activity such as using a botnet. Many times
it is hard to know if such a blast of requests is a denial of service
attack, brute force password cracking or just a search engine crawler.

Going forward we are going to add such incidents to WHID if there is a
reason to believe that they are not friendly, even if the actual goal of the
attack cannot be easily classified. The Facebook case at hand is a perfect
example: while the details are not clear, the fact that Facebook filed a law
suit implies that there is fire behind the smoke.


WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site
=============================================================
Reported: 19 December 2007, Occurred: 14 December 2007

Classifications:

* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government

To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
all of them. We currently report such incidents if the hacked site is of
interest or if the attack method is known.


WHID 2007-67: The Day My Web Site Was Hacked
============================================
Reported: 19 December 2007, Occurred: 17 December 2007

Classifications:

* Attack Method: Known Vulnerability
* Country: UK
* Outcome: Link Spam
* Software: WordPress
* Vertical: Information Services

In an incident very similar to the Al Gore Hack, the personal blog of IT
journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the
breach and its origins.


WHID 2007-69: The Orkut XSS Worm
================================
Reported: 19 December 2007, Occurred: 19 December 2007

Classifications:

* Attack Method: Cross Site Scripting (XSS)
* Country: USA
* Outcome: Worm
* Vertical: Information Services

A vulnerability in the social networking site Orkut that allowed users to
inject HTML and JavaScript into their profiles set the stage for a
persistent XSS worm that appears to have affected more than 650,000 Orkut
users.


WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked
===================================================================
Reported: 19 December 2007, Occurred: 26 November 2007

Classifications:

* Attack Method: Known Vulnerability
* Country: USA
* Outcome: Link Spam
* Software: WordPress
* Vertical: Government

Whether comment spam by itself is an application failure or a necessary evil
for site allowing rich comments is an open question. However it is reported
that in this case vulnerability in WordPress allowed the spammers to
actually penetrate the site and modify pages and not just abuse comments.

I think that the you can find the information at the incident references at http://www.webappsec.org/projects/whid/byid_id_2007-60.shtml.

----Original Message----
From: Memisyazici, Aras [mailto:arasm@vt.edu]
Sent: Sunday, December 30, 2007 2:13 PM
To: Ofer Shezaf; bugtraq@securityfocus.com
Subject: RE: Latest round of web hacking incidents for 2007 & Project news

>>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.

Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ?


Sincerely,
Aras "Russ" Memisyazici
IT Specialist II
Virginia Tech -- OIS


-----Original Message-----
From: "Ofer Shezaf" <ofers@Breach.com>
To: "Bugtraq" <bugtraq@securityfocus.com>
Sent: 12/27/07 11:01 AM
Subject: Latest round of web hacking incidents for 2007 & Project news


The last month was very active in the web application security field and at
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.

We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.

So if you know of a web hacking incident that you feel should be in the
database and is not (or you could not find it), send me an e-mail at ofer at
shezaf.com, so it will be there in time for the annual report.

For more information and complete details of each incident refer to the Web
Hacking Incidents Database at http://www.webappsec.org/projects/whid.

Ofer Shezaf
Work: offer at breach.com, +972-9-9560036 #212
Personal: ofer at shezaf.com, +972-54-4431119

VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project


WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007

Classifications:

* Attack Method: Credential/Session Prediction
* Country: USA
* Outcome: Identity Theft
* Vertical: Government

The Secret Service has arrested at least 6 people in an investigation that
involves information theft at an Ohio court web site, which is actively used
for identity theft. At least one known identity theft case resulted in
$40,000 loss to the victim.


WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
=========================================================================
Reported: 20 December 2007, Occurred: 20 December 2007

Classifications:

* Attack Method: SQL Injection
* Country: USA
* Outcome: Defacement
* Vertical: Government

The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your
soul" on the Web site of the police department in Tucson, Arizona. Only
unlike regular defacement, this time it is not the front page but rather the
news section that was modified.


WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
subsidiary
=========================================================================
Reported: 19 December 2007, Occurred: 30 September 2007

Classifications:

* Attack Method: Unknown
* Country: Germany
* Outcome: Leakage of Information
* Vertical: e-commerce

An unidentified group had stolen credit card numbers and billing addresses
of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of
Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
from the Kartenhaus.de web site between October 24, 2006 and September 30,
2007 were affected.


WHID 2007-60: The blog of a Cambridge University security team hacked
=====================================================================
Reported: 19 December 2007, Occurred: 27 October 2007

Classifications:

* Attack Method: Known Vulnerability
* Attack Method: Insufficient Authentication
* Attack Method: SQL Injection
* Country: UK
* Outcome: Downtime
* Software: WordPress
* Vertical: Education

I am sure that the guys at Light Blue Touchpaper have the expertise to
protect their WordPress installation, but they don't have the time. They
made the compromise between ease of management of their web site and its
security.
Apart from, or actually because of the fact that the victims are security
experts, this story is noteworthy due to two additional twists in the plot:

* Zero day exploit in the wild - the attacker penetrated twice, once
using a known SQL injection vulnerability, but the second time using a yet
unknown vulnerability in WordPress, which was reverse engineered and
published for the first time by the people at Light Blue Touchpaper.
* The researchers found that they can use Google to retrieve the hashed
password of the hacker. Google has become so big that it actually allows
efficient encrypted passwords lookup.


WHID 2007-62: A security flaw in Passport Canada's website
==========================================================
Reported: 19 December 2007, Occurred: 01 December 2007

Classifications:

* Attack Method: Credential/Session Prediction
* Country: Canada
* Outcome: Disclosure Only
* Vertical: Government

The Web site of the Canadian passports authority enables users to access
others' record by modifying a value of a parameter in the URI.


WHID 2007-64: Information about Duke's Students and Applicants Stolen
=====================================================================
Reported: 19 December 2007, Occurred: 01 December 2007

Classifications:

* Attack Method: Unknown
* Country: USA
* Outcome: Leakage of Information
* Vertical: Education

The personal data of nearly 1,400 prospective Duke Law School students may
have been stolen by a hacker from two separate databases, one including the
prospective students' data and another filled with requests for information
about the school.


WHID 2007-65: Facebook suing a porn site over automated access
==============================================================
Reported: 19 December 2007, Occurred: 28 June 2007

Classifications:

* Attack Method: Insufficient Anti-automation
* Country: USA
* Country: Canada
* Vertical: Information Services

Use of robots and automated software against a web site, as long as it is
not done in order to break into the site, falls into a grey area. While hard
to classify as an unlawful act, it is usually harmful to the site owner and
possibly to the site users. Apart from using valuable resources, such an
automated access may breach the site's usage license of public information
and might also indicate unlawful activity such as using a botnet. Many times
it is hard to know if such a blast of requests is a denial of service
attack, brute force password cracking or just a search engine crawler.

Going forward we are going to add such incidents to WHID if there is a
reason to believe that they are not friendly, even if the actual goal of the
attack cannot be easily classified. The Facebook case at hand is a perfect
example: while the details are not clear, the fact that Facebook filed a law
suit implies that there is fire behind the smoke.


WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site
=============================================================
Reported: 19 December 2007, Occurred: 14 December 2007

Classifications:

* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government

To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
all of them. We currently report such incidents if the hacked site is of
interest or if the attack method is known.


WHID 2007-67: The Day My Web Site Was Hacked
============================================
Reported: 19 December 2007, Occurred: 17 December 2007

Classifications:

* Attack Method: Known Vulnerability
* Country: UK
* Outcome: Link Spam
* Software: WordPress
* Vertical: Information Services

In an incident very similar to the Al Gore Hack, the personal blog of IT
journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the
breach and its origins.


WHID 2007-69: The Orkut XSS Worm
================================
Reported: 19 December 2007, Occurred: 19 December 2007

Classifications:

* Attack Method: Cross Site Scripting (XSS)
* Country: USA
* Outcome: Worm
* Vertical: Information Services

A vulnerability in the social networking site Orkut that allowed users to
inject HTML and JavaScript into their profiles set the stage for a
persistent XSS worm that appears to have affected more than 650,000 Orkut
users.


WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked
===================================================================
Reported: 19 December 2007, Occurred: 26 November 2007

Classifications:

* Attack Method: Known Vulnerability
* Country: USA
* Outcome: Link Spam
* Software: WordPress
* Vertical: Government

Whether comment spam by itself is an application failure or a necessary evil
for site allowing rich comments is an open question. However it is reported
that in this case vulnerability in WordPress allowed the spammers to
actually penetrate the site and modify pages and not just abuse comments.

On Sun, Dec 30, 2007 at 07:13:24AM -0500, Memisyazici, Aras wrote:
> >>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
>
> Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ?

I think this is the original report
http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/
which Bruce Schneier highlighted
http://www.schneier.com/blog/archives/2007/11/using_google_to.html

The basic idea: somebody had a hash, 20f1aeb7819d7858684c898d1e98c1bb, and
searched for that hash on Google, and discovered it was a hash for the
string "Anthony".

It's a cute trick, but not very meaningful for databases of salted hashes,
and probably not very important for passwords that cracklib, the standard
Windows "strong password" rules, etc. would accept.

-Peter

We can tell Google what to crawl and what not to. If people don't tell
Google not to crawl then it will be crawled. We cant blame Google for
that.

On 12/30/07, Memisyazici, Aras <arasm@vt.edu> wrote:
> >>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
>
> Could you please be more specific? Do you mean, Google had crawled an entire MySQL DB and had access to the contents of the password field in encrypted form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table repo. to compare hashes against? Or... ?
>
>
> Sincerely,
> Aras "Russ" Memisyazici
> IT Specialist II
> Virginia Tech -- OIS
>
>
> -----Original Message-----
> From: "Ofer Shezaf" <ofers@Breach.com>
> To: "Bugtraq" <bugtraq@securityfocus.com>
> Sent: 12/27/07 11:01 AM
> Subject: Latest round of web hacking incidents for 2007 & Project news
>
>
> The last month was very active in the web application security field and at
> the Web Hacking Incidents Database Project we have collected numerous new
> incidents, listed below. It is very evident that both the rate of incidents
> as well the amount of information about each one is on the rise.
>
> We have also started adding more classifications to each incident. In
> addition to the attack method we now track for each incident its geography,
> the outcome of the attack and the industry sector it occured at. We are
> going to use this information in the our first annual Web Incidents summary
> report to be issued in early January.
>
> So if you know of a web hacking incident that you feel should be in the
> database and is not (or you could not find it), send me an e-mail at ofer at
> shezaf.com, so it will be there in time for the annual report.
>
> For more information and complete details of each incident refer to the Web
> Hacking Incidents Database at http://www.webappsec.org/projects/whid.
>
> Ofer Shezaf
> Work: offer at breach.com, +972-9-9560036 #212
> Personal: ofer at shezaf.com, +972-54-4431119
>
> VP Security Research, Breach Security
> Chair, OWASP Israel
> Leader, ModSecurity Core Rule Set Project
> Leader, WASC Web Hacking Incidents Database Project
>
>
> WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
> ======================================================================
> Reported: 22 December 2007, Occurred: 22 December 2007
>
> Classifications:
>
> * Attack Method: Credential/Session Prediction
> * Country: USA
> * Outcome: Identity Theft
> * Vertical: Government
>
> The Secret Service has arrested at least 6 people in an investigation that
> involves information theft at an Ohio court web site, which is actively used
> for identity theft. At least one known identity theft case resulted in
> $40,000 loss to the victim.
>
>
> WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
> =========================================================================
> Reported: 20 December 2007, Occurred: 20 December 2007
>
> Classifications:
>
> * Attack Method: SQL Injection
> * Country: USA
> * Outcome: Defacement
> * Vertical: Government
>
> The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your
> soul" on the Web site of the police department in Tucson, Arizona. Only
> unlike regular defacement, this time it is not the front page but rather the
> news section that was modified.
>
>
> WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
> subsidiary
> =========================================================================
> Reported: 19 December 2007, Occurred: 30 September 2007
>
> Classifications:
>
> * Attack Method: Unknown
> * Country: Germany
> * Outcome: Leakage of Information
> * Vertical: e-commerce
>
> An unidentified group had stolen credit card numbers and billing addresses
> of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of
> Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
> from the Kartenhaus.de web site between October 24, 2006 and September 30,
> 2007 were affected.
>
>
> WHID 2007-60: The blog of a Cambridge University security team hacked
> =====================================================================
> Reported: 19 December 2007, Occurred: 27 October 2007
>
> Classifications:
>
> * Attack Method: Known Vulnerability
> * Attack Method: Insufficient Authentication
> * Attack Method: SQL Injection
> * Country: UK
> * Outcome: Downtime
> * Software: WordPress
> * Vertical: Education
>
> I am sure that the guys at Light Blue Touchpaper have the expertise to
> protect their WordPress installation, but they don't have the time. They
> made the compromise between ease of management of their web site and its
> security.
> Apart from, or actually because of the fact that the victims are security
> experts, this story is noteworthy due to two additional twists in the plot:
>
> * Zero day exploit in the wild - the attacker penetrated twice, once
> using a known SQL injection vulnerability, but the second time using a yet
> unknown vulnerability in WordPress, which was reverse engineered and
> published for the first time by the people at Light Blue Touchpaper.
> * The researchers found that they can use Google to retrieve the hashed
> password of the hacker. Google has become so big that it actually allows
> efficient encrypted passwords lookup.
>
>
> WHID 2007-62: A security flaw in Passport Canada's website
> ==========================================================
> Reported: 19 December 2007, Occurred: 01 December 2007
>
> Classifications:
>
> * Attack Method: Credential/Session Prediction
> * Country: Canada
> * Outcome: Disclosure Only
> * Vertical: Government
>
> The Web site of the Canadian passports authority enables users to access
> others' record by modifying a value of a parameter in the URI.
>
>
> WHID 2007-64: Information about Duke's Students and Applicants Stolen
> =====================================================================
> Reported: 19 December 2007, Occurred: 01 December 2007
>
> Classifications:
>
> * Attack Method: Unknown
> * Country: USA
> * Outcome: Leakage of Information
> * Vertical: Education
>
> The personal data of nearly 1,400 prospective Duke Law School students may
> have been stolen by a hacker from two separate databases, one including the
> prospective students' data and another filled with requests for information
> about the school.
>
>
> WHID 2007-65: Facebook suing a porn site over automated access
> ==============================================================
> Reported: 19 December 2007, Occurred: 28 June 2007
>
> Classifications:
>
> * Attack Method: Insufficient Anti-automation
> * Country: USA
> * Country: Canada
> * Vertical: Information Services
>
> Use of robots and automated software against a web site, as long as it is
> not done in order to break into the site, falls into a grey area. While hard
> to classify as an unlawful act, it is usually harmful to the site owner and
> possibly to the site users. Apart from using valuable resources, such an
> automated access may breach the site's usage license of public information
> and might also indicate unlawful activity such as using a botnet. Many times
> it is hard to know if such a blast of requests is a denial of service
> attack, brute force password cracking or just a search engine crawler.
>
> Going forward we are going to add such incidents to WHID if there is a
> reason to believe that they are not friendly, even if the actual goal of the
> attack cannot be easily classified. The Facebook case at hand is a perfect
> example: while the details are not clear, the fact that Facebook filed a law
> suit implies that there is fire behind the smoke.
>
>
> WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site
> =============================================================
> Reported: 19 December 2007, Occurred: 14 December 2007
>
> Classifications:
>
> * Attack Method: Unknown
> * Country: France
> * Country: Libya
> * Outcome: Planting of Malware
> * Vertical: Government
>
> To iframe or not to iframe, this is the question. As malware becomes more
> popular, the number of incidents, mostly insignificant, in which malware was
> planted on a hacked site is rising and WHID is not the right place to list
> all of them. We currently report such incidents if the hacked site is of
> interest or if the attack method is known.
>
>
> WHID 2007-67: The Day My Web Site Was Hacked
> ============================================
> Reported: 19 December 2007, Occurred: 17 December 2007
>
> Classifications:
>
> * Attack Method: Known Vulnerability
> * Country: UK
> * Outcome: Link Spam
> * Software: WordPress
> * Vertical: Information Services
>
> In an incident very similar to the Al Gore Hack, the personal blog of IT
> journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the
> breach and its origins.
>
>
> WHID 2007-69: The Orkut XSS Worm
> ================================
> Reported: 19 December 2007, Occurred: 19 December 2007
>
> Classifications:
>
> * Attack Method: Cross Site Scripting (XSS)
> * Country: USA
> * Outcome: Worm
> * Vertical: Information Services
>
> A vulnerability in the social networking site Orkut that allowed users to
> inject HTML and JavaScript into their profiles set the stage for a
> persistent XSS worm that appears to have affected more than 650,000 Orkut
> users.
>
>
> WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked
> ===================================================================
> Reported: 19 December 2007, Occurred: 26 November 2007
>
> Classifications:
>
> * Attack Method: Known Vulnerability
> * Country: USA
> * Outcome: Link Spam
> * Software: WordPress
> * Vertical: Government
>
> Whether comment spam by itself is an application failure or a necessary evil
> for site allowing rich comments is an open question. However it is reported
> that in this case vulnerability in WordPress allowed the spammers to
> actually penetrate the site and modify pages and not just abuse comments.
>
>
>
>