Ever signed up to a jobs web site in the expectation of landing that dream job and then being contacted by the site to say that all your personal information including, job applications, CV’s and covering letters have fallen into the hands of a malicious user? If so, then you must be one of Guardian Job’s half a million users who received that very email just a few weeks ago. The Guardian Jobs website uses a third party (Madgex) to store their job seekers data. Apparently the website was compromised due to a ‘sophisticated’ and targeted attack (SQL Injection suspected) on the 23rd of October. We would love to talk about the nitty gritty of how this attack happened however according to the Guardian “The police remain anxious to keep information about the apparent theft to a minimum”. I speculate (which one should never do) that simple input sanitation could have avoided it, yet again.

Jon Hickman a user of the Guardian Jobs website says: “I was surprised that this incident has passed with so little comment. Guardian Jobs must have many thousands of members, and this security breach could be effecting them all in a very real way, yet I haven't seen much in the way of a backlash.”

PayChoice, one of America’s largest payroll organizations with 125,000 business customers relying on their payroll services, were the victim of two separate SQL injection attacks in a short period of time. PayChoice have subsequently shut down their online portal all together because of the attacks. The SQL injection vulnerability itself was in the password reset function on one of their login pages. It is quite common for developers to go all out in securing their main login functionality and forgetting all about the “forgot/change password” functionality.


If we take look at the following example:

SELECT ALL

FROM users

WHERE email = '1' OR name LIKE '%John%';

The above SQL injection attack acts like a mini search engine, looking for a user in the database with the name field LIKE ‘John’. If the above SQL injection attack was used in a change password function on a login page and the database contained a user called John the website would output a successful message, something along the lines of “Your password has been sent to john@john.com” giving us a valid user and their email address to carry out further injections or other attacks.

SQL injection has been a big headache to many organizations throughout 2009, and will likely still be a headache for the foreseeable future. The countermeasures are out there, use them!