Hacker News new | past | comments | ask | show | jobs | submit login

For those who haven't heard the story the details were pulled from a Christian dating site db.singles.org which had a query parameter injection vulnerability.

The vulnerability allowed you to navigate to a person's profile by entering the user id and skipping authentication.

Once you got there the change password form had the passwords in plain text. Someone wrote a scraper and now the entire database is on Mediafire and contains thousands of email/password combinations.




Thanks. Glad to see some actual info on the attack, as the real article and most comments in this thread are devoid of any.


Ouch. SQL injections and plaintext passwords? Someone hired their nephew to do backend programming.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: