Oklahoma Department of Corrections SQL exposure
Technorati Tag: Security Breach
Date Reported:
4/15/08
Organization:
State of Oklahoma
Contractor/Consultant/Branch:
Department of Corrections
Victims:
"Oklahoma residents"
Number Affected:
10,597
Types of Data:
Names, addresses, and social security numbers
Breach Description:
"Residents of Oklahoma State have reportedly been hit this week with the bad news that tens of thousands of their names, social security numbers and allied data were effectively available on the Web for around three years."
Reference URL:
The Daily WTF
ComputerWeekly
The Register
SecurityProPortal
Report Credit:
Alex Papadimoulis, The Daily WTF
Response:
From the online sources cited above:
Residents of Oklahoma State have reportedly been hit this week with the bad news that tens of thousands of their names, social security numbers and allied data were effectively available on the Web for around three years.
One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101.
The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.
Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed - and possibly, changed - any data within the DOC’s databases.
It took me all of a minute to figure out how to download 10,597 records - SSNs and all - from their website
Not only did Oklahoma make avaiable the SSN of those types of offenders, but that of every type of offender in their system. It was all accessible through an innocent looking link on both the SVOR and Offender search pages
Shortly after discovering this problem (thanks to reader AJ, who hesitantly pointed it out), I spent the following day working my way up the DOC's call tree. Eventually, I found my way to George Floyd and explained how bad of an idea it was to to have a SQL query as a parameter.
Fortunately, he didn't accuse me of hacking their site. In fact, he seemed appreciative and promised to pass the details along to their developers.
The following day, both the SVOR and Offender Search were taken down "for routine maintenance".
However, when the sites came back up, I noticed that that the "print-friendly page" still had a SQL query in the URL. Putting the "social_security_number" in, however, no longer displayed social security numbers.
It took me all of ten seconds to figure out a way around their fix.
I used "Social_security_number" instead of "social_security_number".
Their brilliant developers plugged this pothole with a pebble by doing nothing more than a case-sensisitve search/replace of "social_security_number" with "doc_number". Clearly, they had no idea why it was so bad to let any SELECT anything from their databases.
I emailed George again, this time explaining the problem much more clearly
That, apparently, did the trick. Soon thereafter, the sites underwent "routine maintenance" and the "roster pages" were no more.
Commentary:
I highly suggest that people read the source article. Alex does an excellent job of describing the problem and his commentary is priceless.
Past Breaches:
Unknown
Date Reported:4/15/08
Organization:
State of Oklahoma
Contractor/Consultant/Branch:
Department of Corrections
Victims:
"Oklahoma residents"
Number Affected:
10,597
Types of Data:
Names, addresses, and social security numbers
Breach Description:
"Residents of Oklahoma State have reportedly been hit this week with the bad news that tens of thousands of their names, social security numbers and allied data were effectively available on the Web for around three years."
Reference URL:
The Daily WTF
ComputerWeekly
The Register
SecurityProPortal
Report Credit:
Alex Papadimoulis, The Daily WTF
Response:
From the online sources cited above:
Residents of Oklahoma State have reportedly been hit this week with the bad news that tens of thousands of their names, social security numbers and allied data were effectively available on the Web for around three years.
One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101.
The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.
Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed - and possibly, changed - any data within the DOC’s databases.
It took me all of a minute to figure out how to download 10,597 records - SSNs and all - from their website
Not only did Oklahoma make avaiable the SSN of those types of offenders, but that of every type of offender in their system. It was all accessible through an innocent looking link on both the SVOR and Offender search pages
Shortly after discovering this problem (thanks to reader AJ, who hesitantly pointed it out), I spent the following day working my way up the DOC's call tree. Eventually, I found my way to George Floyd and explained how bad of an idea it was to to have a SQL query as a parameter.
Fortunately, he didn't accuse me of hacking their site. In fact, he seemed appreciative and promised to pass the details along to their developers.
The following day, both the SVOR and Offender Search were taken down "for routine maintenance".
However, when the sites came back up, I noticed that that the "print-friendly page" still had a SQL query in the URL. Putting the "social_security_number" in, however, no longer displayed social security numbers.
It took me all of ten seconds to figure out a way around their fix.
I used "Social_security_number" instead of "social_security_number".
Their brilliant developers plugged this pothole with a pebble by doing nothing more than a case-sensisitve search/replace of "social_security_number" with "doc_number". Clearly, they had no idea why it was so bad to let any SELECT anything from their databases.
I emailed George again, this time explaining the problem much more clearly
That, apparently, did the trick. Soon thereafter, the sites underwent "routine maintenance" and the "roster pages" were no more.
Commentary:
I highly suggest that people read the source article. Alex does an excellent job of describing the problem and his commentary is priceless.
Past Breaches:
Unknown
Posts Atom 1.0
Comments