

Ning Security Hole Discovered By Hackers - Millions of Accounts Compromised - yurisagalov
http://thenextweb.com/insider/2012/04/20/ning-security-hole-discovered-by-hackers-as-many-as-100-million-accounts-compromised

======
ohashi
The title is a bit misleading. I don't see any evidence of a hack. Just
because a vulnerability was discovered doesn't mean it was used to compromise
accounts. It is possible, but it was always possible with or without this
vulnerability being disclosed now. If it did occur, this may not have even
been the method used.

------
supereric
I work for Ning and wanted to let anyone who is interested know that there is
some additional info on the Ning Blog about this issue if anyone is
interested: [http://www.ning.com/blog/2012/04/security-updates-on-ning-
pl...](http://www.ning.com/blog/2012/04/security-updates-on-ning-
platform.html).

Hope that helps. Have a great weekend.

E

------
plowman
I work at Ning. I can confirm this hole was recently patched.

------
thezilch
In fact, one of referenced articles [0] states the students disclosed the hack
to Ning in March. It's not clear when the hole was patched, but I have a hard
time believing it has been nearly a month between the hack being demonstrated
to Ning and Ning releasing a solution. Furthermore, it appears the Dutch news
sites and TNW's translation are only reporting on the issue because the
students are comfortable in now releasing this information, only after Ning
has patched the vulnerability, BEFORE millions of accounts could be
compromised. In this regard, I don't understand TNW's tone nor this post's
title.

Of course, Ning should certainly come forward with their findings and what
diligence was made.

[0] [http://webwereld.nl/nieuws/110261/ning-lekt-
accounts-100-mil...](http://webwereld.nl/nieuws/110261/ning-lekt-
accounts-100-miljoen-gebruikers.html)

------
rdl
It got ignored for a _year_. That's an argument for Full Disclosure, at least
to me.

