Published on June 7th, 2017 | by Akshay Nayak
Breach of the Month — May 2017
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Which did we choose for May? This month’s breach threat analysis features the thoughts of Threat Researcher Akshay Nayak:
- Sabre hospitality booking database breach
- Yahoobleed vulnerability
- Zomato.com breach
Sabre Hospitality Booking Database Breach
Sabre Corp, one of the world’s largest travel technology companies suffered a data breach wherein unauthorized access to their travel reservation system – Synxis was discovered. Per Sabre’s Quarterly SEC (Security and Exchange Commission) Sabre’s Quarterly SEC (Security and Exchange Commission) filing as well as a separate press release, they have confirmed this unauthorized access and have said that they have informed Law enforcement about the incident and assigned Mandiant the task of investigating the incident. The investigation is still going on and little is known outside of Sabre’s claim that it’s Synxis central reservation system might be the only one involved in the breach.
Yahoobleed is the name given to the vulnerability in the image processing library ImageMagick with regards to Yahoo. This vulnerability was found by Chris Evans, a security researcher who has found vulnerabilities in the ImageMagick library when used by companies such as Box and Dropbox. Yahoobleed is further subdidvided into Yahoobleed1 and Yahoobleed2. Yahoobleed1 resulted from Yahoo failing to install a patch in ImageMagick that was released in Dec. 2014. This means that Yahoo mail users were exposed to Yahoobleed1 for almost 28 months. Yahoobleed2 is another vulnerability in the ImageMagick library which was present inspite of the patch that took care of the previous vulnerability. All it took to exploit Yahoobleed1 was an 18-byte image file attached to the email body. Chris was awarded $18K for reporting the vulnerability to Yahoo and Yahoo decided to forgo ImageMagick altogether.
Although these contenders for May are strong — and we haven’t even touched on the WannaCry infection which we addressed in detail in two separate blogs — the breach of the month is without a doubt the Zomato breach.
This popular restaurant review and food delivery website had the details of around 17 Million users compromised. These included User IDs, names, usernames, email addresses and hashed passwords. According to a post on a post on Zomato’s blog, no payment card information was compromised, and since 60% of users who had details compromised in the breach used their Google or Facebook accounts via OAuth to login, and no password hashes were stolen for these users.
The attack seemed to be perpetrated by a ticked-off white hat whose sole motivation was to get Zomato to adopt a fully featured bug-bounty program and start taking security more seriously. The hacker who stole the account details had put them up for sale in a dark web marketplace and agreed to take the data off the dark web and delete all copies once Zomato decided to cooperate. It seemed that the attacker wanted Zomato to have a well-established bug bounty program and pay more attention to securing the data of its users.
Zomato has had a HackerOne account since Feb 2016 where they acknowledge white hats and pen testers alike for finding bugs in their applications. At the moment, in exchange for finding vulnerabilities, Zomato only offers to induct the finder into the “hall of fame” or if needed, provide a certificate of recognition. Since there is zero payout for finding vulnerabilities, there is little incentive for bug hunters report them. Once Zomato reached out to the attacker and promised to prioritize the security of its users’ data, the attacker also gave them the details of how the data was compromised.
Another problem with this breach was the way Zomato stored the password hashes of users. The passwords were hashed using the MD5 algorithm with a 2-character salt used for each password. There are two problems with this. First of all, MD5 is an extremely weak hashing algorithm and has been proven to vulnerable. Second, while using a salt is better than not using one at all, such a short salt just does not cut it. Taking the previous two points into account, computing power available today and the fact that many users use short, easy to remember passwords, these hashes can be cracked easily. In fact that’s exactly what happened, as Motherboard could crack the password hashes for a small subset of data obtained from the dark web marketplace Hansa using just an online hash checker.
There are a few important lessons that can be learned from this:
- Companies should invest more in securing the data of their users. There are many ways to do this and a good bug-bounty program is a step in the right direction. In this case, Zomato promised the hacker to put controls in place and enhance their bug bounty program to offer monetary rewards.
- Simple hashing functions such as MD5 or even the ones having a larger word space such as SHA-1 or SHA-2 should not be used by themselves. Creating a custom password hashing algorithm involving either of the algorithms mentioned before is also not advisable be it with or without salts of any length, as it’s hard to tell how cryptographically secure it is without extensive research. A much better approach is to use password hashing functions that are specifically designed for storing passwords securely and have been thoroughly vetted by the security community. There are 3 that are extremely popular right now. They are Bcrypt, PBKDF2 and the newer Scrypt.
- Readers will notice how I used the words “white hat” and “hacker” interchangeably in this post to describe the person that caused user data to be leaked. This is because I believe the person’s end goal was most likely noble, it being to get Zomato to take better steps into securing its users’ data. But I also think that the method of arriving at the goal was extremely reckless and this person should have realized the consequences of putting up the details of 17 million users on the dark web even if it was for a short period of time. There is no saying who else might have got access to this data. A malicious adversary could harvest email addresses in this data or even use them along with the cracked passwords to compromise other online accounts of these users because of password reuse that is extremely prevalent.
- Users should set a strong password for all their online accounts. In order that these passwords don’t need to be memorized, using a good password manager is highly advisable. These can help users automatically set and manage extremely complex passwords and effectively eliminate password reuse and the need to remember anything but the master password. 1Passwordand Lastpass are some of the best password managers out there.
Akshay Nayak is a Threat Researcher at SS8. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.