Sunday, May 24, 2009

Orange.fr SQL Injection - 245,000 clear text passwords...

OK, so it's getting a little tedious, but the folks over at HackersBlog have uncovered yet another high-profile site vulnerable to SQL Injection. This time it's Orange in France.

Through their Mystery Photo portal (http://laphotomystere.orange.fr/), it appears that user login credentials (including first name, surname, email and password) can be retrieved through some vulnerable parameters - something like 245,000 of them by last count.

Most importantly though, it looks like Orange forgot two of the fundamental security laws in managing online authentication credentials:
  1. NEVER STORE PASSWORDS IN THE CLEAR
  2. NEVER STORE PASSWORDS IN THE CLEAR
That's right, I'm saying it twice because its that important!

If you're going to store authentication credentials, store hashes of the passwords instead. Better yet, salt your hashes too - thereby making it even tougher for the bad guys to break them.

Over the years I've dealt with numerous folks working within the security teams of Orange around the world and they're generally a smart bunch of folks, so this lapse in security is rather disappointing. I can only presume that (as is so typical nowadays) this particular Web portal element was designed and developed by a third-party and didn't undergo the usual security scruitiny.

Regardless, Orange need to up their game here and get the vulnerability fixed. Apparently the folks over at HackersBlog informed Orange but haven't received a response from them.

As for those customers/patrons of the Orange.fr site - I'd recommend that you change your password immediately and, if you're also recycling the same password amongst multiple Web sites, you'd better change all those as well (but don't use the same "new" password you create for the Orange.fr site - since the site probably hasn't been fixed yet).

For more on passwords and their recovery, checkout an earlier blog on the topic - Passwords Revisited.

2 comments:

  1. Seems that they don't give a Sh#t about security: http://www.tinyurl.com/qgey92

    ReplyDelete
  2. Looks like Orange.co.uk is similarly in trouble. The HackersBlog folks posted a new entry this morning... http://www.hackersblog.org/2009/05/26/can-someone-from-orangecouk-contact-us/

    ReplyDelete