On November 24th, VTech Holdings detected unauthorized access to customer data housed on their Learning Lodge app store database. The breach occurred on November the 14th – 10 days before it was even detected.
The data stolen includes full names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, along with mailing addresses and download history. The date of over 200 thousand kid’s was stolen and nearly 5 million additional entries were harvested by the hackers.
It is not yet clear how the attack was launched; however, a simple SQL injection (SQLi) would be a good bet, especially considering the attack channel – a web application – and the target – a customer database.
By running a specific command in an “un-sanitized” text field, the attacker gains elevated access to the organization’s database. The silver lining to SQLi vulnerabilities is that they are very simple to avoid – if you know what you’re looking for. A simple application code analysis will detect fields which might be exposed to SQLi vulnerabilities allowing the developers to properly fix the code.
Vtech “bad” #1: An SQLi is one of the more basic attacks on database servers.
With that comes good news and bad news.
The good news is that the passwords stored on the database were encrypted.
The bad news…
Vtech “bad: #2: The passwords were encrypted using one-way MD5 hashing. This is one of the most basic encryption still in use today and is no longer up to current security standards, due to how easy it can be to crack. Using publicly available “rainbow tables,” anyone can reverse the encryption of many – if not all – the passwords.
Looking at this attack, it’s not immediately obvious what the hackers can gain from this data. There doesn’t seem to be any financial gain involved, it was not some kind of cyber political warfare and there most likely isn’t an ethical agenda attached to this specific hack.
Personal users data is probably being harvested on a daily basis by hacking groups or as I prefer to call them “hacking mafias”. This data can later be re-purposed for smart social engineering attacks which can be used for financial gain. Social engineering is all about gaining the trust of your victim. If I know the names of someone’s kids, their home address and their email address – it’s going to be much easier to gain their trust.
“Yes Mr. Smith, a college savings fund for Tim and Jane is a great decision. Shall we send the receipt to your home address at Oak Street or to your email?”
On top of that, the re-use of passwords is a common mistake made by many internet users. Some might use the same password on their online banking account, their web mail account and on their application store access. With enough data harvesting, finding out where someone does their banking is not a big challenge.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.