Hacking passwords to Hell

Hell is actually a pizza chain that started in 1996 that now has 64 stores in New Zealand, England, Australia and Ireland:

Clever marketing strategy but a website they used to manage customer information is said to have been breached. A police report revealed more than 230,000 “entries” at risk with names, phone numbers, email addresses and passwords. Risky Business claims an exclusive on this story called I know what you ate last summer

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a ‘feature’ of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) – and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as “about 50 steps of fail”.

HD could have gone for the 9 levels of Infernal fail, or called it divinely comical, but 50 steps is still pretty good.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.