Hackers Expose Site’s Security Hole

Friday, March 16, 2012 @ 12:03 PM gHale

The high visibility web site, Ancestry.com, has a security hole that could leave personal information of its users exposed.

While this site does not really working the manufacturing automation sector, it is just another example of a viable web site that has at least one vulnerability where hackers could get in and wreak havoc on its users.

Flaws in Microsoft, Dell, TBS Sites
UN, Skype, Oracle Hacked
Execs Unaware of Security Risks
Security to Industry: Time to Wake Up

TeamHav0k, a network of “gray hat” hackers, found a SQL injection vulnerability in the genealogy-tracing website. To prove its point, the group copied the contents of a database belonging to the website and posted it online.

In a Pastebin post, the TeamHav0k hackers preface the leak with a note explaining that their exploit was not harmful to Ancestry.com’s registered users, but simply highlight what the hackers believe is a major flaw for a high-profile site to have.

“This release is not meant to harm anyone its simply just to prove ‘Security Is An Illusion’ although we are known for (cross site scripting) XSS’s, we will exploit other vulnerabilities if we find them,” the group said in its note. “People need to understand the seriousness of small little coding errors that lead to this sort of thing, they need to remember to PATCH THEIR SYSTEMS the second a new updated version comes out to protect their assets and clients”

The vulnerability exposed by TeamHav0k “is on the company’s corporate website, which is a separate website housed by a third party vendor and is not connected to any Ancestry.com customer financial or personal tree information,” said Ancestry.com’s director of corporate communications, Heather Erickson.

The leaked database contents, which amounted to only 35 kilobytes, had no actual user information. Rather, the data seemed to be mostly front-end forms that a member would use to fill in family information when first signing up with Ancestry.com.

The largest file in the database dump consisted of content to populate a “latest news” page on the Ancestry.com site. It dated from July 2010.

This posting may have been a warning shot or it may have been as far as the group got, but it does go to show security professionals need to remain vigilant in the efforts to keep their sites and companies up and running.

Leave a Reply

You must be logged in to post a comment.