Cryptography

Credential Management Vulnerabilities Exploitation Case Study

December 2, 2020 by Srinivas

Introduction

In the last few articles, we discussed how credentials are used in applications, how credential management can go wrong and how attacks like SQL Injection and command injection can lead to credential exposure. We discussed all these concepts using some demo applications and it is important to remember there have been several real world breaches that led to exposing sensitive data such as clear text passwords and hashes. In this article, we will discuss some real world breaches that led to credential exposure.

What are data breaches? 

A data breach is a security incident leading to information being accessed by unauthorized parties. Data breaches can lead to financial and reputation losses to the organizations and even personal lives of users can be affected in some cases.

Data breaches can occur through a variety of attacks such as exploiting system vulnerabilities, weak passwords, malware attacks and drive by downloads. In the previous article we have seen practical examples of how exploiting system vulnerabilities can lead to sensitive data exposure. Similarly, targeted malware attacks and drive-by downloads will have similar effects.

Following are some examples of data breaches exposing the weaknesses in credential management in their software.

ClixSense breach

ClixSense is a website that pays users for watching ads and completing surveys. The company became a victim of a massive data breach on 4 September 2016. The breach had led to exposure of 6.6 million user records, which include Account balances, Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Payment histories, Payment methods, Physical addresses, Usernames, Website activity.

The passwords disclosed after the breach were in clear text and it was understood that the company failed to use encryption to protect the user’s personal information.

The following figure shows the breach details from pastebin, a website used for storing and sharing plain text data.

Business Acumen Magazine breach

The Australian website “Business Acumen Magazine” was breached in April 2014, which exposed over 26,000 accounts. This exposed data includes Email addresses, Names, Passwords, Usernames and Website activity.

The passwords disclosed after the breach were found to be in the form of MD5 hashes without any salting. 

The following figure shows the breach details from pastebin, a website used for storing and sharing plain text data.

000webhost breach

000webhost is one of the most popular free web hosting sites available on the internet. This website suffered a data breach in 2015, which exposed 15 million customer records. The exposed data includes Email addresses, IP addresses, Names and Passwords.

The passwords disclosed after the breach were found to be in clear text, which made it clear that the website has failed to protect the customer data at rest.

The following figure shows the breach details from pastebin, a website used for storing and sharing plain text data.

Conclusion

It is clear from the breaches that even companies with large customer data failed to protect sensitive customer data such as passwords. While several breaches revealed that sensitive data is stored in clear text or hashed using weak algorithms, it is apparent that any organization can be a victim of data breaches. When a breach happens, the damage can be limited if sensitive data such as personal information, credit card numbers and passwords are appropriately secured in the databases. 

 

Sources

  1. https://us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-know.html
  2. https://haveibeenpwned.com/PwnedWebsites#ClixSense
  3. https://haveibeenpwned.com/PwnedWebsites#BusinessAcumen
  4. https://haveibeenpwned.com/PwnedWebsites#000webhost
Posted: December 2, 2020
Articles Author
Srinivas
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *