Saturday | 20 March, 2010
CSO
RIAA Web site graffitied with piracy tags
SQL injection attack launched from Reddit.com
Darren Pauli (Computerworld) 18/01/2008 11:54:09

The Recording Industry Association of America (RIAA) became one of the largest proponents of peer-to-peer file sharing and anti-copyright when hackers defaced its Web site today.

A SQL injection attack was launched from a user hyperlink on content aggregation site Reddit.com which launched a SQL query of the RIAA databases.

Users posted pro-piracy content across the Web site, including a link from the RIAA News Room to torrent hosting site ThePirateBay.org, and an image mocking copyright supporters the Motion Picture Association of America, Microsoft and Apple.

According to Reddit contributors, the RIAA was using PHP language, MySQL, RedHat and Apache.

Contributor blorg said the vulnerability was caused by a query which contained an unvalidated URL variable that allowed "millions of pointless MD5 hash computations" to be processed through MySQL.

"The SQL injection works when a sloppy programmer passes a URL variable straight into a query without validating it," they said.

The RIAA's Content Management System (CMS) could not be identified despite that blogger ThinkItOver found URL variables common to commercial software.

"I found numerous URL variables in the form ?content_selector= through Google," they said.

"A number of riaa.com URLs have that same variable, content_selector=."

The Web site was wiped clean soon after the site was hijacked at around 6AM after a hacker attached a delete statement into a SQL injection attack.

IBRS analyst James Turner said the attack was symbolic rather than harmful because the RIAA has become a high profile enforcer of IP protection.

"This is being seen by many as a case of ideologically driven hacktivism against the RIAA," Turner said.

"It represents the clash of two cultures, on the one hand you have this special interest group which has taken the protection of IP several steps too far, and on the other hand you have an Internet sub-culture which thrives on collaboration and freely exchanged information.

"Some people are saying that the RIAA had it coming because the RIAA appeared to be going out of its way to take legal action against soft targets."

The Web site remained defaced or unavailable at the time of writing.

Click to e-mail your opinion to Darren Pauli.

More about Motion, Microsoft, Apple, Apache, Google, MySQL, Recording Industry Association of America, CMS, Motion Picture Association of America

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Enter the fully qualified URL, eg. http://www.example.com/
Users posting comments agree to the CSO Online comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Add to Google
Additional Resources
Newsletter Subscription
Sign up for our CSO Online newsletters!
RSS Feeds
Syndicate content
 
Get a job Careerone
Whitepaper


Read Whitepaper

Making the move to Ethernet | A DECISION GUIDE

While enterprises today need higher bandwidth, there is increasing demand for solutions that can provide scalability, performance, simplicity and control at lower costs. Get the best of both worlds - read about Ethernet adoption today.

Sponsored Links