iStock_000019354781XSmall

Kickstarter Website Compromised; InfoSec Executives On Alert

Feb 19, 2014 By Sharon Solomon

The hacks just keep on coming. Kickstarter, arguably the world’s largest crowdfunded website, has joined the list of high-profile casualties. The site suffered a serious data breach that has probably led to the leakage of personal information and data, including encrypted passwords that can easily be cracked.

Kickstarter had no idea that their database was compromised until they were alerted by law enforcement officials. The website technical team then patched up the security glitch and asked all users to replace their old passwords with secure ones.

It was announced that no credit card data was compromised, but there is no guarantee that the hackers won’t be able to harvest even this data. While still not announced officially, SQL Injections were probably implemented in the intrusion.

What are SQL Injections?

SQL Injections is basically an unsanitized user input hacking tool, commonly used in login fields of unprotected websites. Since all modern websites use centralized databases to deliver and render information, such hacking opportunities exist in virtually all types of websites. The problem is magnified when websites have no proper security solution in place.

SQLi are basically SQL commands that are maliciously injected into SQL statements via the web page input. This is how the hackers illegally communicate with the website’s databases, harvesting sensitive information and passwords for their personal benefit. Error based SQLi are tough to trap and pose a huge security challenge for CISOs and InfoSec managers.

What damage can be caused by SQL Injections? 

Database hacking is a serious security breach that can result in:

  • Stealing of usernames and passwords for commercial or criminal purposes.
  • Complete wiping out of content or defacing of website pages (i.e hacktivism).
  • Silent spying and monitoring of information by competitors or business rivals.
  • Corruption of entire databases and deleting of backups.

How can CISOs and InfoSec Managers combat SQL Injections?

For developers, software developed in a Secure SDLC environment is the best way to go. Detecting vulnerabilities at early stages help in cutting production times, saving valuable resources and establishing secure development habits thanks to the automated security process. This eventually also serves as a business differentiator to stand out from the competition.

It’s also important to choose the right security solution for your website. While Pen Testing and DAST solutions are helpful in locating vulnerabilities, the SAST and Source Code Analysis (SCA) options are more comprehensive. Implementing SCA should make your website relatively free from common loopholes exploited by hackers.

Source – Kickstarter Hacked

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.