Bugtraq mailing list archives
New Web Hacking Incidents at WHID
From: Ofer Shezaf <ofers () Breach com>
Date: Mon, 7 Jan 2008 16:09:39 +0200
Gearing towards WHID 2007 annual report, 2007 I came across many new interesting web hacking incidents that I missed this year and added them to the database (more details at WHID site at http://www.webappsec.org/projects/whid): So what's new at WHID this week? + A lot of problems for web hosting companies: In one of them a subsidiary of British Telecom suffered a major intrusion where someone stole all its clients e-mails, used it for spam and planted malware on their sites. All due to a programming mistake of one their programmers: WHID 2007-75: PlusNet blames itself for webmail spamfest (http://www.webappsec.org/projects/whid/byid_id_2007-75.shtml). Other hosting incidents: WHID 2007-74: Web host breach may have exposed passwords for 6,000 clients, WHID 2007-77: HostGator: cPanel Security Hole Exploited in Mass Hack, WHID 2007-76: A large web hosting firm inflicted by mass malware installation. + The first CSRF entry in WHID, and a really bad one: CSRF in g-mail cost someone his very successful domain, stolen by a blackmailer (WHID 2007-72: Gmail CSRF exploited to hijack a domain (http://www.webappsec.org/projects/whid/byid_id_2007-72.shtml) + Our first story from Brazil. It is not new, but the exposure to the project led someone from Brazil to send it to me. It shows how many stories we do not discover due to language barrier: WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others (http://www.webappsec.org/projects/whid/byid_id_2007-78.shtml) + Among the newly defaced: MSNBC in Turkey (WHID 2007-81) & Vodafone in India (WHID 2007-80). If you have more stories - e-mail me! ~ Ofer Ofer Shezaf Work: ofers () breach com, +972-9-9560036 #212 Personal: ofer () shezaf com, +972-54-4431119 VP Security Research, Breach Security Chair, OWASP Israel Leader, ModSecurity Core Rule Set Project Leader, WASC Web Hacking Incidents Database Project
Current thread:
- New Web Hacking Incidents at WHID Ofer Shezaf (Jan 07)