The Chicago Tribune was apparently hacked via a SQL Injection flaw in an old section of the website.
According to the Hacker News, the Serbian hacker group ‘TeslaTeam’ found a flaw in a Tribune subdomain which allowed them to breach the website’s database and exposed partial credentials. A pastebin post included links to a page that included the 2008 Illinois school report and 14 encrypted passwords.
A spokesperson for the Tribune group declined to comment. Robert Hansen, technical evangelist at Whitehat Security, said: “The attackers appear to have abused a parameter called ‘ID’ which passes unformatted user input straight into an SQL statement. It appears to allow the attacker to pull in content from the MySQL server and still appears to be vulnerable.
“This is a common mistake to make, unfortunately, and quite easy to fix. The Chicago Tribune is lucky that the attackers alerted them to the attack, it gives them an opportunity to fix their issues with relatively limited damage done. Not even reporters are immune to attack – but this is probably the attacker’s version of a public service announcement to reporters: fix your stuff.”
Research by Imperva found that the vulnerable system was outdated, and it suspected that this is also supported by the table names in the leaked data which contains only the 2008 report card.
Tal Be’ery, web security research team leader at Imperva, said: “However, even if the data within the database is not relevant, hackers can still use the SQL injection flaw for privilege escalation, content manipulation and to cause damage to the Chicago Tribune brand name: ‘Chicago Tribune got hacked’ headlines are bad for the business’ reputation.
“Therefore, it is very important to secure all internet facing applications, even if they are outdated as they provide a viable attack surface for attackers. A way to make sure that all web applications are secured is to put them behind a web application firewall, thus making sure that every application behind it is secured.”
