Yahoo Contributors Network affected by Blind & Time Based SQL Injection flaws

Pierluigi Paganini October 09, 2014

Yahoo! Contributors Network was affected by a serious Time based Blind SQL Injection vulnerability which allows the theft of sensitive data.

The Yahoo! Contributors Network allows writers to submit articles, videos, it also allows contributors to receive assignments from Yahoo related various domains like Sports and Finance.
The security researcher Behrouz Sadeghipour reported to that The Yahoo! Contributors Network (contributor.yahoo.com) is vulnerable to a Time based Blind SQL Injection vulnerability, which could be exploited by attackers to steal users and contributors personal data.
According to the expert, he has reported the vulnerability  flaw to Yahoo! Security team a few months ago and the company fixed the flaw. Months later  Yahoo! announced its decision to shut down ‘Yahoo Contributors Network’ due to its decreasing popularity and removed all its contents online, except some of the “work for hire” content.
As explained by the researcher the vulnerability affect Yahoo! systems and attackers could exploit it to compromise the database by injecting its own SQL commands and to gain access to sensitive and personal information of contributors that are paid by the company. Two following URLs could be used to run the attack against the Yahoo serverr :
  • http://contributor.yahoo.com/forum/search/?
  • http://contributor.yahoo.com//library/payments/data-table/?
It’s not the first time that experts discovered a flaw in the Yahoo! Contributors Network, in July 2012 has been hacked by the group of hackers called D33DS Company that stolen and published 453,491 email addresses and passwords in a document  named “Owned and Exposed”.  The file containing the credentials was later disclosed via BitTorrent and various file lockers on the web. The D33Ds hackers claimed they released the information to show the security leak at Yahoo, and not to realize frauds or for other malicious purposes.
In September 2014, the Egyptian hacker Ebrahim Hegazy has discovered a similar vulnerability in the Yahoo service that allows a Remote Code Execution and privilege escalation.
SQL Injection is considered an effective attacks technique and security experts worldwide sustain that the number of SQL injection attacks continues to grow. According to new study titled “The SQL Injection Threat Study“ published in April 2014 by the The Ponemon Institutenearly 65% of organizations suffered successfully SQL injection attacks in the last twelve months, which were able to evade victims’ defenses.
The SQL Injection attacks Threat Study 2 yahoo vulnerable

Do not underestimate the SQL Injection attacks they could seriously damage your business.

Pierluigi Paganini

(Security Affairs –  Yahoo contributor network, SQL injection)



you might also like

leave a comment