The Chief Technology Officer at security firm Imperva has revealed details about a potential weakness within the Yahoo Jobs website, which could have been exploited by cybercriminals to extract customer information. The Israel-based company discovered the vulnerability after monitoring discussions on a criminal forum and Yahoo was quick to plug the gap before serious data theft occurred.
Imperva’s Amichai Shulman outlined the basics of the issue, stating that in essence the hole could be exploited using a method similar to an SQL injection attack. In this case a technique known as blind SQLi would have been used to access personal details and financial information of thousands of Yahoo Jobs users.
Shulman explained that although the threat posed by blind SQLi is less serious than a basic SQL injection attack on paper, in reality concerns are mounting because of the existence of automated tools which make the blind SQLi process far easier. The resultant breach could allegedly be used to extract the contents of an entire database with relative ease.
It took just a few hours for Yahoo to protect its systems against the breach after it had been made aware of the security hole. Shulman pointed out that such a rapid response is indicative of the gravity of the situation with which Yahoo were presented. Jobs sites have been taking data security more seriously after Monster.co.uk was exploited by hackers on two separate occasions in 2007.
There have been no official reports of a data crime having occurred and it is believed that the discussions surrounding blind SQLi techniques on the cyber crime forum were not related to a potential attack but rather to the sale of technical information relating to the hack.
Significant visitor numbers and vast databases of personal information held by jobs websites are believed to attract the attention of cybercriminals. Tackling SQL injection attacks has become a major concern for those companies involved in hosting such sites and although tighter security can limit the impact of criminal activity, more awareness is being called for to avoid complacency and to address any vulnerabilities.
