News:

PD.com : We are the parents your children warned you about.

Main Menu

Renamed: Pizza ordering website so vulnerable, Google accidentally hacked it.

Started by Pæs, July 25, 2010, 02:00:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Pæs

July 25, 2010, 02:00:41 PM Last Edit: July 26, 2010, 02:12:58 AM by Ferka Zarco
http://www.risky.biz/hell

QuoteRisky.Biz understands multiple intruders have compromised Hell Pizza's 400mb database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries.

The company operates 64 stores in New Zealand, three in England, nine in Australia and one in Ireland.

The database entries include the full names, addresses, phone numbers, e-mail addresses, passwords and order history for the company's customers. The information is "doing the rounds" across New Zealand.

Some who came into contact with the database contacted the company last year, posing as "concerned customers", but received no acknowledgement of the data breach. They fear the database may have already found its way into the wrong hands.

When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

While the database has become a valuable tool for security professionals in New Zealand, they believe the exposure of the data is exposing the company's customers to spam and other attacks.

It's possible that many users have recycled their passwords between their e-mail, PayPal, TradeMe, banking, eBay, Hell Pizza and other accounts. Even if just a few percent of the company's customers are recycling passwords, the database is worth obtaining, they say.

Downloading the Hell Pizza database, apparently, was very easy.

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as "about 50 steps of fail".

Another penetration tester says the Hell Pizza database is an excellent example of "non critical" information that could still be used by attackers for great benefit.

The Chair of New Zealand's Internet Task Force, Paul McKitrick, told Risky.Biz that he had heard rumours of the database circulating around the security community as far back as last year.

"A database like this of New Zealand users' personal information provides miscreants with a valuable list of commonly used, New Zealand-centric passwords which could prove useful in brute forcing passwords," he said.

"If Hell Pizza were aware of this then they should have notified their customers. I do not know what actions Hell Pizza took, but I was a customer and I have never received any notification that my personal information has been compromised."

McKitrick, the former head of the New Zealand Government's Centre for Critical Infrastructure Protection, added organisations that collect and store the personal details of their customers, have a responsibility to notify their customers if they believe that there has been a breach of their personal information.

"This enables customers to do something about mitigating their own personal exposure, such as ensuring that the compromised password was changed everywhere it had been used, because people frequently reuse their passwords."

Hell Pizza reported the breach to police after Risky.Biz provided it with some database excerpts it could verify.

Hell Pizza has posted a warning on their Facebook to explain the situation to their customers, but otherwise appears not to have done anything to alert customers who used the system that their information may not have been stored securely.

QuoteDear Valued Hell Customer,

We have been approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation. The samples that we received included details of four customers from 2006, including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website.

We apologise for the incident and any inconvenience that this may have caused.

Sincerely,

Stu McMullin – Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database and we have only included you for the purposes of this notification.

The final line of this suggests to me that this message was sent to their customers using information from the database, but... my email and friends' emails would have been in this database and none of us has heard anything from Hell Pizza. The plus side is, that now that there is an physical address connected to my email address, the spam I receive is more related to my interests.

Golden Applesauce

#1
July 25, 2010, 03:52:57 PM
It took them a year to admit that their customer's data had been stolen?  Wow....

I really, really hate it when businesses make you register an account to order something online.  It provides basically no benefit to the user, some benefit to the company, and a great deal of risk in that no pizza chain is ever going to take cybersecurity seriously.
Q: How regularly do you hire 8th graders?
A: We have hired a number of FORMER 8th graders.

Pæs

#2
July 26, 2010, 02:05:43 AM
http://www.geekzone.co.nz/freitasm/7336

QuoteA Google search reveals the existence of a script that was there only to execute SQL commands - so vulnerable in fact that even Google found it and cached a result:

Epic fail. They're saying that they are going to check the logs of everyone who downloaded data from their website, but the database was so open that Google accidentally retrieved information from it... and it sounds like they may have stored passwords as plaintext.

This article does say that an email was sent out to customers in the last week, so I guess my friends and I didn't use the site during the time that the vulnerability existed.

Epic fail.
Print
Go Up Pages1
User actions