Monday, August 17, 2009

SQL injection not sophisticated

I was reading this news story about the recent 130-million stolen credit card numbers. The story says:
According to the Justice Department, the suspects used a sophisticated hacking technique called an "SQL injection attack"...

SQL injection is not sophisticated. It is extremely easy. A million teenage hackers around the world know how to break into websites using SQL injection.

This is the reason SQL injection is so common. The programmers who create websites believe that SQL injection is a "theoretical" vulnerability that does not endanger their websites in practice. They are wrong -- it's easy for someone of average hacking skill to exploit.

Because these programmers don't believe in the problem, SQL injection problems are wide-spread. They seem to be everywhere I look. Here are some recent examples:

The news article should have instead said "Hackers used the well-known SQL injection technique" rather than the "sophisticated" technique.

UPDATE: Dan Goodin at The Register gets it right, describing it as a garden-variety exploit. I guess that's the difference between IT press and mainstream press: for one, it's "garden-variety", for the other, it's "sophisticated".

No comments: