Yahoo Careers website patched to close SQL flaw

Security researchers have helped to close up a blind SQL injection vulnerability on Yahoo's careers website.

Through their normal surveillance of cybercrime forums, researchers at web application firewall provider Imperva noticed discussion about the flaw, present on careers.yahoo.com and which could allow attackers to extract database contents, including personal information. The researchers, though, did not see the cybercrooks attempting to exchange any stolen data.

Amichai Shulman, Imperva's CTO, said he confirmed the flaw and, on Thursday, notified Yahoo, which pushed out a fix within hours.

The vulnerability is different than a traditional SQL injection flaw, he told SCMagazineUS.com on Monday.

Typically, to pull off a SQL injection exploit, attackers enter a specially crafted query into a web form, which tricks the database into returning the desired results, Shulman explained. In a blind SQL scenario, hackers do not obtain query output. Instead they only receive an indication of whether the query was successful.

"If you build queries correctly, you can extract one character of information at a time," he said. "It takes time. But once you automate the process, you don't really care."

Attackers often target job sites because of the wealth of personal data contained on them.

"I think people care more about when a job site gets hit because those tend to include a lot of personal information that is not necessarily meant to be public," he said. "I think mostly, [attackers] take the information out and sell it away to other individuals who make use of it. Depending on the type of information, it can be used for spam, phishing or identity theft."

A Yahoo spokeswoman did not respond to a request for comment.

This is not the first time a Yahoo site was victimized by a coding error. Last year, internet research firm Netcraft's toolbar detected a cross-site scripting bug in Yahoo's HotJobs search engine site that could be exploited to steal authentication cookies.