The hacks just keep on coming. Kickstarter, arguably the world’s largest crowdfunded website, has joined the list of high-profile casualties. The site suffered a serious data breach that has probably led to the leakage of personal information and data, including encrypted passwords that can easily be cracked.
Kickstarter had no idea that their database was compromised until they were alerted by law enforcement officials. The website technical team then patched up the security glitch and asked all users to replace their old passwords with secure ones.
It was announced that no credit card data was compromised, but there is no guarantee that the hackers won’t be able to harvest even this data. While still not announced officially, SQL Injections were probably implemented in the intrusion.
What are SQL Injections?
SQL Injections is basically an unsanitized user input hacking tool, commonly used in login fields of unprotected websites. Since all modern websites use centralized databases to deliver and render information, such hacking opportunities exist in virtually all types of websites. The problem is magnified when websites have no proper security solution in place.
SQLi are basically SQL commands that are maliciously injected into SQL statements via the web page input. This is how the hackers illegally communicate with the website’s databases, harvesting sensitive information and passwords for their personal benefit. Error based SQLi are tough to trap and pose a huge security challenge for CISOs and InfoSec managers.
What damage can be caused by SQL Injections?
Database hacking is a serious security breach that can result in:
- Stealing of usernames and passwords for commercial or criminal purposes.
- Complete wiping out of content or defacing of website pages (i.e hacktivism).
- Silent spying and monitoring of information by competitors or business rivals.
- Corruption of entire databases and deleting of backups.
How can CISOs and InfoSec Managers combat SQL Injections?
For developers, software developed in a Secure SDLC environment is the best way to go. Detecting vulnerabilities at early stages help in cutting production times, saving valuable resources and establishing secure development habits thanks to the automated security process. This eventually also serves as a business differentiator to stand out from the competition.
It’s also important to choose the right security solution for your website. While Pen Testing and DAST solutions are helpful in locating vulnerabilities, the SAST and Source Code Analysis (SCA) options are more comprehensive. Implementing SCA should make your website relatively free from common loopholes exploited by hackers.
Source – Kickstarter Hacked