Imperva warns on Yahoo! jobs web site hack

SYDNEY, November 17.  Imperva, the data security specialist, has reported to Yahoo! a potential SQL injection flaw - known as a Blind SQLi problem - on the Yahoo jobs site.

"This is a flaw that could mean that the personal information of large numbers of people are compromised," Amichai Shulman, Imperva's chief technology officer said.

"Data like this can be extremely useful as far as identity thieves are concerned. This is exactly the sort of data that is traded on so-called carder forums (http://amazingforums.com/forum1/DAGAME/forum.html)," he added.

According to Shulman, although illegal data exchanges are shut down on a regular basis, the scale of the Internet means that as one closes, another opens elsewhere on the Net.

It's a very difficult situation for the law enforcement authorities, as while every identity theft data can be harvested on the Internet from site hacks caused by SQL injection hacks, the forums will act as an auction/exchange for that data, he explained.  Shulman is saying that some hackers are selling the fish – that is the stolen data itself, while others provide the fishing polls – the exploits that can be used to extract the information.

"This is why it's important to warn about potential SQL injection-hacked problems like this. If the potential problem is allowed to continue for any length of time, then the risk of a hacker attack rises as a result," he said.

"SQL injection is a major thorn in the side for the Web site hosting community. It can be tackled with careful research and high levels of security. Unfortunately, some site operators overlook this simple fact at high risk," he added.

Yahoo was contacted and has deployed a fix to resolve the problem.

For more on Imperva: http://www.imperva.com