July 12, 2012

How The Yahoo Voices Breach Went Down

Yahoo! Voices was breached.  This application is an online publishing application that was developed by Associated Content and later acquired by Yahoo!.   It allows consumers to share information on any topic, such as planning a wedding or details on Tom and Katie’s divorce.   

Sadly, this breach highlights how enterprises continue to neglect basic security practices.  According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded).  One would think the recent LinkedIn breach would have encouraged change, but no.  Rather, this episode will only inspire hackers worldwide.

The file published by the hackers seems to contain some 450K usernames and password of Yahoo! Voices users. Yahoo! The usernames and password seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth.

Here’s some technical details:

  • Another epic password fail: It seems that the app stored the passwords both on encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless.
    • ac_www =>> fix_ac_user :::: aes_passwd
    • ac_www =>> fix_ac_user :::: clear_passwd
  • How was it exploited?  According to hacker "Method: Union-based SQL Injection" which is the basic form of SQL injection.  (For more on stopping SQL injection, read here).
  • It's interesting to note that apps use zip code info to gain intelligence on users:
    • ac_www =>> ac_zip_data :::: ZipCode
    • ac_www =>> ac_zip_data :::: HouseholdsPerZipCode
    • ac_www =>> ac_zip_data :::: WhitePopulation
    • ac_www =>> ac_zip_data :::: BlackPopulation
    • ac_www =>> ac_zip_data :::: HispanicPopulation
    • ac_www =>> ac_zip_data :::: PersonsPerHousehold
    • ac_www =>> ac_zip_data :::: AverageHouseValue
    • ac_www =>> ac_zip_data :::: IncomePerHousehold


  • Someone should delete all the TomKat videos and contribute a Yahoo! Voices tutorial on proper password storage methods.  Until that's done, here's an enterprise password security guide everyone should read.
  • This attack highlights the challenges of security with 3rd-party applications.  The attacked application s probably acquired by Yahoo! from a 3rd party, Associated Content. It's very challenging to have an effective SDLC with 3rd parties. Therefore, you need to put them behind WAF.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.