SPAM Alert - (Hell Pizza compromised?)

Forums › Off topic › SPAM Alert - (Hell Pizza compromised?)

1 | 2 | 3 | 4 | 5 | 6

4089 posts

Uber Geek

ID Verified

Trusted

#356182 25-Jul-2010 20:43

freitasm:

Sorry folks for bringing this back to life... But things have happened that made me remember this thread.

It appers that Hell Pizza's database was compromised, thanks to a SQL Injection attack, about the same time you started receiving those spam.

According to http://risky.biz/hell:

I have sent an email to Hell Pizza asking for confirmation on this story but it sounds very familiar...

The NZ Herald just covered this today, and they have the director Warren Powell on record stating that it was an employee responsible for leaking the database, and they haven't been able to locate the actual source of the breach. Sounds like he just might be lying. Especially since they have Risky.biz quoting in the same article that it is most assuredly not an employee responsible, but a giant security flaw.

I don't know about you, but with that sort of attitude toward customer security, Hell Pizza most assuredly will never be getting my business again.

freitasm

BDFL - Memuneh
79288 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#356189 25-Jul-2010 20:56

From reading the risky.biz site it seems Spikefin did a poor job of issuing SQL commands directly from the Flash website to the database server. Anyone "listening" could just emulate those commands and retrieve records at will...

Having firewalls (as they claim) would do nothing to block traffic that was, for all intent, "legitimate".

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#356283 26-Jul-2010 00:33

Hell Ireland is using the old vulnerable version. Hell Australia and United Kingdom are currently down with a JSP Database exception, which I'd assume means they are vulnerable too.

Canada's is not vulnerable as they have migrated to Mobi2Go like New Zealand has.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#356287 26-Jul-2010 00:39

Holy crap, GOOGLE has actually INDEXED and CACHED some of the SQL query results (with customer data - well, a customer's name anyway)

I guess this answers how the "hackers" got the info then?

michaelmurfy

meow
13249 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#356302 26-Jul-2010 01:32

Kyanar: Holy crap, GOOGLE has actually INDEXED and CACHED some of the SQL query results (with customer data - well, a customer's name anyway)

I nearly coughed up my pizza. That is some bad security there. Don't they know how to use SQL?! I don't think I will be hiring the web design company behind this anytime soon, heck at our Datacentre we attempt to make sure our customers are secure from this sort of thing.

It seems that their UK site is down, this site is hosted here in Christchurch too. I think there's a bit of bad management there with the way the sites are managed, since their main NZ site is hosted with Netspace in Wellington, it's a bit all over the place.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
79288 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#356304 26-Jul-2010 01:57

I've posted an update in my blog now: http://www.geekzone.co.nz/freitasm/7336

dman

953 posts

Ultimate Geek

#357501 28-Jul-2010 00:08

dontpanic42: The issue has just made the news in few more places.

http://tvnz.co.nz/national-news/hacker-claims-have-hell-pizza-passwords-3670977
http://www.techday.co.nz/netguide/news/hell-pizza-customer-database-compromised/17171/1/

Looks like Hell pizza have now taken the matter to the police.

LOL!!! A person HELPS them out and they respond by sending them to the Police.... oh hang on, why am I laughing... this is also really SAD and WRONG! Seriously, what the hell Hell!

maknz: Terrible. Might try and delete my account.

Edit: Hell have just issued a statement: http://www.facebook.com/photo.php?pid=4362601&id=43522837224

I fully agree with this guy (2nd comment on facebook):

Kelvin Yong Why not have this typed out as a note on Hell Pizza's profile, so it's searchable and more useful? Search engine can't "read" text in the image.

If I was conspiracy minded I would sooo be believing that too right now, but surely there is another explanation?! (but good to see later they made a note as well, conspiracy theory squashed? :P But Hell only admits it was due to Kelvin's "insistence" that this happened.... !!)

However this comment:

Steve McAteer this is pretty responsible for a company ! Most companies would simply try to keep it quiet...obviously one day coming back to bite them on the ass, so well done HELL, i wish all companies we're this open, transparent and honest...keep it up, hopefully the theory will spread !

I read that again with a mixture of laughter (because it is so far from reality...) and sadness... (for the same reason!)

Another clueless customer:

Danny Collings Kelvin get ova ur bad self , hell have it covered i have mates that work in hell ..its being taken care of.. and the customers who are affected in anyway have or are about to receive e-mails to let them know ...
if you really wnt to throw ...something around go to the hells web page and grab a little devil to toss , ps most customers of hells trust them to do the right thing they have so enough already with you making ur point ova and ova and ova ..........if this gets u pissy well it proves my point u need to chillax !

Correct me if I'm wrong, but did EVERY customer get an email? As that is how many which got breached. Besides, Kelvin was spot on the money.

Another person (Amanda Easterbrook, very long comment so won't quote it all) accused RiskyBiz as the only person doing wrong here because she said he is trying to extort money!! :o wtf

https://www.youtube.com/c/SoundSpeeding

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

dman

953 posts

Ultimate Geek

#357506 28-Jul-2010 00:26

Oh dear... Spikefin Interactive list their *awards* on their site (how does that happen?):

http://www.spikefin.com/company/

I can't wait until they had a "media coverage" tab :P

More funny goodness:
http://www.spikefin.com/development/
"Our core competencies lie in technologies such as Flex, Flash, Actionscript, HTML/CSS, Objective C, Java and MySQL".

Spikefin can help you build highly interactive applications that can run in Flash-enabled browsers or on the desktop using AIR. Our development team are specialists in Flex, a open-source framework that deploys consistently on all major browsers and operating systems.

Flex?s rapid prototyping means you can see your ideas unfold and refine them throughout the development process. It?s fast and transparent development that keeps you in control. Outsource your project with confidence.

Less waiting. More action. Watch as your ideas come to life with Flex?s rapid prototyping.

Transparent development. Outsource with the confidence of a development cycle you can see.

Enterprise-grade. But sexy. Make business intelligence intuitive and sexy with Flex?s advanced data visualisation components.

=========

haha, we can't fault them with their advanced data visualisation.... the whole world can see it!

https://www.youtube.com/c/SoundSpeeding

freitasm

BDFL - Memuneh
79288 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#357535 28-Jul-2010 07:42

Kelvin Yong Why not have this typed out as a note on Hell Pizza's profile, so it's searchable and more useful? Search engine can't "read" text in the image.

If I was conspiracy minded I would sooo be believing that too right now, but surely there is another explanation?! (but good to see later they made a note as well, conspiracy theory squashed? :P But Hell only admits it was due to Kelvin's "insistence" that this happened.... !!)

Kelvin is our very own ex-moderator Chiefie. That's why he's clued up.
However this comment:

Steve McAteer this is pretty responsible for a company ! Most companies would simply try to keep it quiet...obviously one day coming back to bite them on the ass, so well done HELL, i wish all companies we're this open, transparent and honest...keep it up, hopefully the theory will spread !

I read that again with a mixture of laughter (because it is so far from reality...) and sadness... (for the same reason!)

Another clueless customer:

Danny Collings Kelvin get ova ur bad self , hell have it covered i have mates that work in hell ..its being taken care of.. and the customers who are affected in anyway have or are about to receive e-mails to let them know ... if you really wnt to throw ...something around go to the hells web page and grab a little devil to toss , ps most customers of hells trust them to do the right thing they have so enough already with you making ur point ova and ova and ova ..........if this gets u pissy well it proves my point u need to chillax !

Correct me if I'm wrong, but did EVERY customer get an email? As that is how many which got breached. Besides, Kelvin was spot on the money.

Another person (Amanda Easterbrook, very long comment so won't quote it all) accused RiskyBiz as the only person doing wrong here because she said he is trying to extort money!! :o wtf

People who don't understand the risks of lack of privacy and security on the Internet. They probably didn't read the whole thing, didn't understand how and why, and have no idea of the impact of this in their lives.

Ragnor

8222 posts

Uber Geek

Trusted

#357700 28-Jul-2010 13:17

The original version of the site was probably developed about 10 years ago so it's understandable (but not excusable) how secure coding practices weren't adhered to.

Sql injection problems are extremely common with old sites.

sleemanj

1490 posts

Uber Geek

#357707 28-Jul-2010 13:29

SQL injection is one thing, but this was pretty sloppy, it wasn't just forgetting to escape a string or something, it was sending complete unchecked SQL across the wire. Even 10 years ago (really, 10 years, in flash?) that would have been pretty obviously a bad idea.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

reven

3743 posts

Uber Geek

Trusted

#357744 28-Jul-2010 14:48

seriously who thought this was a good idea?

https://www.hellpizza.com.au/sql_engine.jsp?RUN_ANY_QUERY_YOU_LIKE

but at least it was over https :P, so glad i never ordered pizza using their online site.

Ragnor

8222 posts

Uber Geek

Trusted

#358029 28-Jul-2010 23:40

Oh wow, that is not but bad practice it's retarded practice.

richms

28187 posts

Uber Geek

Trusted

Lifetime subscriber

#358031 28-Jul-2010 23:42

Its the sort of thing you would do in a quick and dirty mockup to demo something on a controlled environment. Then someone deployed it as is. Well thats what I expect happened.

Richard rich.ms

dman

953 posts

Ultimate Geek

#358371 29-Jul-2010 13:52

sleemanj: SQL injection is one thing, but this was pretty sloppy, it wasn't just forgetting to escape a string or something, it was sending complete unchecked SQL across the wire. Even 10 years ago (really, 10 years, in flash?) that would have been pretty obviously a bad idea.

it wasn't just that, they had a whole comedy of errors. Like storing passwords as plain text, no matter how many years we are talking about you can't call that secure

https://www.youtube.com/c/SoundSpeeding

1 | 2 | 3 | 4 | 5 | 6