Gamespot.com Vulnerable to SQL Injection - 8,000,000 records exposed

It seems that "Unu" over at HackersBlog has exploited a new SQL Injection flaw in Gamespot.com to unveil some 8,000,000 member accounts.

The credentials extracted by Unu included the home address, date of birth, email address, and obfuscated password (hashed/encrypted?), and a few other details - all of which are valuable to enterprising criminals and have a monetary value "on the street".

I'm glad that Gamespot at least did something right by not storing user account passwords in the clear - which is so often the case with many Web application portals. I'm not so pleased that Gamespot hadn't found this particular SQL Injection point within their application during a regular pentest. The flaw appears to have been in http://www.gamespot.com/pages/unions/emblems.php with the "union_id" variable open to tampering. This particular flaw would have been easily discovered by simply running a commercial Web application vulnerability scanning tool.


While it appears that Gamespot have now fixed the problem, it does raise the question of responsibility for leaking personal information in such a manner. We hear of all sorts of corporate requirements around the world that require large registered corporations to publicly disclose any data leakages, and to update their customers of any break-in's. But how does that apply to Web-only portals - especially to large portals such as Gamespot? I haven't seen any acknowledgment by Gamespot to their "customers" about the flaw - and no confirmation that the personal information of their 8,000,000 "customers" is safe from future attacks - nor a rebuttal of how many credentials were actually leaked.

Granted Unu appeared to have (at least partially) done the right thing in informing Gamespot of the flaw and withheld his public notification until it was fixed - but Unu isn't the only hacker out there armed with SQL Injection tools/knowledge, and I'm reasonably sure that this was the only flaw within Gamespots Web portal (given how easy this one would have been to spot using standard off-the-shelf tools). Which raises the question of just how safe is anyone's personal data when entrusted to Web-only providers, and how accountable are they for that information?

I don't have any answers to that question - but plenty of opinions as to what needs to be done. Should the security industry help develop an online code of ethics for entities such as Gamespot and help them become better Internet denizens, or does naming and shaming work best?