BrickHouse Security Blog

A blogger who prefers to remain anonymous, has successfully hacked into Barack Obama’s campaign site, BarackObama.com. It appears that the blogger did not have any malicious intent by making the hack known to the public, but rather he released the information about the attack in order to bring attention to the site’s lack of database security.

The blogger was able to easily hack in to the site’s databases using a simple SQL injection attack which tricks web applications information from a database “by tweaking existing queries into doing things they weren’t designed to do.” If the term “SQL injection hack” sounds familiar, that is because that is the same method was used in the now famous attach on Heartland Payment Systems where hackers were able to obtain millions of credit card numbers. According to the blogger, all of BarackObama.com’s administrators’ passwords are unencrypted.

It is becoming more and more apparent that even high priority level sites are vulnerable to easy-to-implement SQL injection hacks. Forbes has investigated the blogger’s claims and in the process they have discovered that a simple Google search leads to a Roosevelt University calendar, that is available at donate.BarackObama.com. That page uses a URL parameter for calendar identification that could make it vulnerable to a SQL injection attack if the page was programmed incorrectly.

(Via Forbes)