Tuesday, August 21, 2007

ConnectU.com SQL injection vulnerability: a story of pathetic hubris (and fun with the password 'password')

This is off-topic for this blog but here goes. ConnectU, a small college social networking site, has been in the news due to their apparently weak lawsuit against Facebook, in which they claim Mark Zuckerberg stole their business plan and computer code back when they all were Harvard undergraduates. (Judges involved have noted the case's flimsy evidence; some technology commentators -- as well as everyone I know -- have noted that the business idea wasn't all that brilliant or original in the first place.) Zuckerberg, of course, went on to found Facebook and bring it to incredible success.

I tried to use the ConnectU site recently, but got an error when searching for a funny name with an apostrophe, o'connor. It turns out this was symptomatic of a very grave security flaw in their code, an SQL injection vulnerability. While Facebook recently had a minor security-related glitch, ConnectU's flaw is far more serious. A malicious attacker could use this to easily break into user accounts, damage or delete internal databases, or probably much worse.

I contacted ConnectU about the flaw here and by now, they seem to have fixed the problem. (Sorry, I didn't get screenshots before the fix.) But this is hardly confidence-inspiring. This bug is one of the most elementary security bugs that can exist in a PHP website. It's a clear sign of a shoddy, amateurish effort; my coworker Dave Fayram, a web engineering expert, describes it as "shameful". Apparently ConnectU's lawsuit asks for all assets and ownership rights to Facebook under the presumption that Zuckerberg's actions were uniquely responsible for their relative lack of success. But this level of engineering incompetence belies any such claim (e.g. as assumed here). Mark Zuckerberg moved his operation to Palo Alto, hired boatloads of smart Stanford grads and built one of the most popular social networking sites around, while ConnectU piddled around with a provably pathetic, toy site.

Techincal details on their litany of errors:

The advanced search page (prominently linked directly off the front page) did not escape text field inputs. A search got submitted as a MySQL SELECT query, so if you cleverly used single quotes in any field, you could inject arbitrary SQL into the WHERE clause. (Much more malicious things may also be possible.) And to make matters worse, PHP debug error messages were on (bad!), so you saw MySQL error messages on malformed queries.

For example, issuing ' AND pw not null OR 'bla'=' yielded the error Unknown column 'pw' in 'where clause'. With a few more tries, it was trivial to discover that they're storing user passwords directly in the users table as plaintext (bad!) and you could even query for what users have various sorts of passwords. For instance, it turns out several users have length 1 passwords: ' AND password RLIKE '^.$' OR 'bla'='. And 192 users have the password 'password': ' AND password = 'password' OR 'bla'='. Amusingly, when you do this query you get back the standard results page that has every users' school listed; thus, of those 192, here are the top 10 schools represented among that group:
13 New York University
11 Harvard University
10 Cornell University
9 Louisiana State University
8 Boston University
7 Pennsylvania State University
7 Columbia University
6 University of Massachusetts - Amherst
6 University of Pennsylvania
6 University of California - Los Angeles

Sure, NYU and Harvard have some of the larger populations on ConnectU (around 1800 and 1300 respectively), but some some schools like Stanford have plenty of users (150) but no one at all with 'password'. Here is the list of the ten largest schools with zero password 'password's, sizes ranging from about 400 to 100:
Colgate University
Brandeis University
Syracuse University
Emerson College
Yale University
University of California - Davis
Rensselaer Polytechnic Institute
University of California - Berkeley
Stanford University
Rutgers University

Yes, this is atrociously poor statistical methodology. I only contend these lists are amusing, not substantive. But, it doesn't take much imagination to see that having access at all to such data is a critical security breach.


At 11:09 PM, Anonymous Anonymous said...

I found a mysql injection in a popular book website. I never did notify them .. I was afraid of some kind of legal repercussions if I did. I would hope they wouldn't do that but I think they could if they wanted to. Is this correct?

At 5:24 AM, Anonymous Anonymous said...

I use passwords like 'password' all the time. A lot of web sites make me register when I don't want to, or if I just want to try them out. I use them a lot for low-security stuff where I don't care if someone breaks into my account.

I save good passwords for important stuff.

At 8:03 PM, Anonymous Anonymous said...

Nice very subtle dig at Cal and not-so-subtle crowing about Stanford.

The ConnectU guys have been spamming Cal students to join their site, so I'm not terribly surprised that there are a lot of "users" with throwaway passwords.

At 12:51 PM, Blogger Brendan said...

Wow, I didn't think at all of this as a Berkeley thing. ivygateblog.com has comment making fun of Harvard. I guess the data can be interpreted to support whichever petty university rivalries one wants...


Post a Comment

<< Home