I wonder why, after being online for so many years, Pirate Bay still had SQL injection vulnerabilities? Did they recently re-engineer their site and forget to sanitize input?
This week, a trio of hackers based out of Argentina uncovered various entry points into the popular (and controversial) file-sharing site Pirate Bay using SQL injection flaws contained in the site. The infiltration gained them access to upwards of four million user profiles containing names, addresses, email accounts and other sensitive and (potentially) incriminating information.
As originally reported by Krebs on Security, the group gained access through SQL injection vulnerabilities contained within the site. The leader of the hacker group, Ch Russo, maintains that he and his accomplices did not crack the site for any personal gain, though he did admit, once inside, it had dawned on him that some of the information uncovered would have been valuable to the Recording Industry Association of America and Motion Picture Association of America. But at the end of the day, they chose not to share information with either organization. The group says that they were only attempting to spread awareness that security vulnerabilities exist and SQL injection flaws can still be readily found in today’s applications and websites.
Hackers are able to gain access to apps through weak SQL portals by adding their own Structured Query Language (SQL) into language field features on sites and in applications. These coded statements instruct the app or site to respond to their coded request and (in most cases) grant them administrative or backend access. Once access is gained, typically the sky is the limit to what database information becomes available and what changes can be made.