How was GMA’s website hacked?

Posted on May 30th, 2011. Written by Rico.

Yesterday early morning, the news organization GMANews Online found its online properties compromised by someone calling himself “d4rkb1t”. Based on an email we received from the anonymous hacker, here’s how we think he did it.

The email from d4rkb1t

d4rkbit has claimed that he was responsible only for hacking GMANews.tv so that it would redirect to google.com and posting the login information for the news site’s Twitter account. The hacker only wanted to call attention to GMANews Online’s lack of security, which is why he timed his attack during early Sunday morning.

He said that other people may have used the login he shared to publish offensive updates on @GMANewsOnline and figure out how to gain control of the company’s Facebook page.

The hacker apparently discovered the Twitter login info after taking over GMANews.tv. We sent an email asking how he compromised the site. Here was his reply:

I cannot disclose such information because it has not been patched by GMANEWS yet.
I might as soon as they will “know” where I got in, and is able to fix it.

But for common knowledge, A blind SQL Injection was used to exploit a non sanitized code with-in the GMANEWS framework.

~d4rkb1t#PhilKer

A common attack with a common defense

If the explanation below sounds like an oversimplification, it is. A more detailed description of how a blind SQL Injection works is understandable only by those with the necessary technical knowledge.

What’s important to consider is that blind SQL injections are so well-known, good web developers and IT managers know how to combat them. It’s a simple matter of building websites that automatically reject anything that looks like SQL code as a username or password. The point d4rkb1t tried to make: Why wasn’t GMANews Online built to defeat such a common attack?

According to d4rkb1t, he found more crucial information after he faked his way into gmanews.tv’s management tools: the login for the @GMANewsOnline Twitter account, and the information needed to access gmanews.tv’s underlying structure—making the redirect to google.com possible. ”Learn to secure your sites, user accounts and passwords with personal information are being stored there..” said the hacker in a message posted on the news organization’s Facebook page.

What’s a blind SQL injection?

A blind SQL injection takes advantage of a site’s features meant for its users. It can exploit a flaw available through the text boxes used to leave comments for an article, the username and password fields that users type on to login, the text box used for searching throughout a site, and even the way a site’s address is typed into the web browser.

Many websites such as GMANews.tv rely on database software called SQL (structured query language). An SQL database stores all of the information necessary for the site’s operation. The GMANews Online’s website database most likely contains the actual content of the news articles, and the login info for people who manage or contribute to the site.

Readers who visit a particular page on GMANews.tv are actually telling the website to access its own database, look for the article specified, and load it on the visitor’s web browser. When GMANews Online employees login, the website compares the username and password they’ve typed in to what’s stored on the database. Matching logins are allowed access the site’s management tools, based on the permissions assigned.

Instead of entering a username or password in a site’s login page however, a hacker can simply type in some SQL code to trick the website into thinking that the hacker is logging in as a legitimate user or even the admin—the user account with the highest level of permission. This is what we think d4rkb1t did. He inserted, or injected SQL code to hijack the login info comparison process.

An example

Suppose GMANews.tv uses the following instructions to manage user logins:

• Get the username
• Get the password
• Look for the username within the database
• If the username is found, compare the password with what’s stored in the database
• If the password matches, allow the login

Say I’m a normal user with the username “Rico” and password “TechnographRocks!”:

• Get the username = “Rico”
• Get the password = “TechnographRocks!”
• Look for “Rico” within the database
• If “Rico” is found, compare “TechnographRocks!” with what’s stored in the database
• If “TechnographRocks!” matches, allow the login

Let’s say instead of typing in a “normal” username and password, the hacker enters SQL code designed to make any comparison succeed. This code is represented as “[Any username you find]” and “[Any password you find]” below.

• Get the username = “[Any username you find]“
• Get the password = “[Any password you find]“
• Look for “[Any username you find]” within the database
• If “[Any username you find]” is found, compare “[Any password you find]” with what’s stored in the database
• If “[Any password you find]” matches, allow the login

Since the SQL code made all comparisons work, the hacker successfully has logged in.