SQL failure exposes plain text passwords

File under FAIL: social network widget maker RockYou has fallen victim to a SQL injection flaw and as a result some 32.6 million users are being urged to change their passwords as a matter of urgency.

Security specialists Imperva discovered the problem at social networking development site Rockyou.com and issued a warning to users of its applications earlier this week. "Rockyou.com is not just any software site. Since its creation in 2006, it's become the hub for many social networking sites such as Bebo, Facebook and Myspace, to mention but a few" said Amichai Shulman, Imperva CTO.

Shulman claimed that the "vast majority" of user names and passwords were, by default, the same as the users webmail accounts, adding "the users are young and security is not top of mind, but nonetheless companies need to keep them protected and ensure their details are safe... it is the responsibility of application owners to protect the information trusted to them by users".

TechCrunch reports that the hacker exploit took advantage of a "trivial SQL injection vulnerability" which "has been well documented for over a decade" and is "extremely basic in execution, yet catastrophic in impact". Worse yet, it points out that RockYou only requires 5 character passwords, and that these were stored in plain text. If this were not bad enough, users of RockYou widgets were prompted to "enter their third-party site credentials directly into the RockYou site when sharing data or an application". Indeed, SQL injection exploits are nothing new and have hit the most unlikely of people including security experts Kaspersky. That said, I agree with TechCrunch that this really does look like it was a security disaster just waiting to happen. Not least thanks to a basic misunderstanding of the importance of a secure password strategy.