Font Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts (zdnet.com) 17
A popular font sharing site DaFont.com has been hacked, resulting in usernames, email addresses, and hashed passwords of 699,464 user accounts being stolen. ZDNet reports: The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums. The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database. "I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find." The hacker provided the database to ZDNet for verification.
DuFuck? (Score:3)
I'm not an expert in web site security, but I thought SQL injection had ben delt with, with minimal input validation and prepared statements? I guess if they are still using MD5 hashes, the code is probably pretty old.
Other than that, I love DuFont, that's where I get all my fonts, though I never saw a need to get an account...
Re: (Score:3)
This is just another example of why you should deprecate APIs with known security design flaws quickly and remove them just as quickly. PHP's MySQL API should have been deprecated when mysqli and PDO came onto the scene in PHP 5.0 (2004) and removed entirely within a couple of years after that. Instead, they didn't deprecate it until PHP 5.5 (2013) and didn't remove it until PHP 7 (2015). IMO, that was about a decade too late, and by the time they finally got around to it, thousands of websites developed
Re: (Score:1)
The thing is, when you do that (remove deprecated API's), people will default to a worse scenario: not updating PHP at all.
A lot of websites have been built spending big money, there's a business or educative usage scenario but zero maintenance, and 99% of the leaks are probably never found or abused because no-one bothered since there is no or little direct monetary gain.
So apart the casual worms, even vulnerable websites are relative safe simply because no-one bothers, hackers will go with higher profile
Re: (Score:3)
That's actually not what happens in practice. Statistically, it isn't the one-off apps that get hacked. Instead, hackers tend to mostly go after mass-deployment apps (phpBB, WordPress, etc., because they yield the most bang for the buck. After all, why steal passwords on one site when you can steal passwords on 100,000 sites just as easily?
The problem with mass-deployment apps is tha
Re: (Score:1)
Its all graphic designers. 95.78% of the passwords where permutations of "Justin Bieber"
Re: (Score:2)
Many popular prepared statement frameworks still don't support array-valued parameters, such as that for the right side of operator IN.
Comic sans (Score:5, Funny)
I was prosecuted for pirating Comic Sans and bigamy.
The judge let me off with a warning. He said I'd already suffered enough.
Re: (Score:2)
This particular guy didn't do anything particular onerous though. He didn't (as far as we know) sell or use the data. Not to mention, he wasn't the first person to lift the DB.
But really, in this legal climate going to the site in question is almost a sure way to get sued. At least with the journalistic route, the company can be notified of the breach, while the 'hacker' has at least some hope of not being fucked over by the legal system.
So it's a win-win for everyone involved.
I hate signing up (Score:2)
This is one of many reasons I hate signing up for accounts at these kinds of sites. I just want to view the materials on the site, maybe download something, and then get out. Not register and deal with accounts and passwords and crap forever.