Elance database hacked

Forum Moderators: phranque

Message Too Old, No Replies

Elance database hacked

JohnRoy

3:38 am on Jul 17, 2009 (gmt 0)

Got [an] email security alert from Elance.

How did this happen?
On the Elance Security Alert [elance.com] page about this they state they following:

The hackers discovered a security hole on an unprotected page that enabled them to access a data table that contained contact information including name, email address, telephone number, city location, and username, and that contained protected versions of user passwords, in an unreadable format called a one-way hash. Their attack did not access personal financial information such as credit card, bank account, social security or tax ID numbers.

Just wondering if Elance can actually be blamed for this, and how it can be proven.

Any way one can protect themselves from a similar mess in such environments.

[edited by: phranque at 5:50 am (utc) on July 17, 2009]
[edit reason] added link to quote source [/edit]

rocknbil

4:24 pm on Jul 17, 2009 (gmt 0)

Any way one can protect themselves from a similar mess in such environments.

IMO the eLance vulnerabilities are the result of too many "bells and whistles:" Excessive Ajax, combinations of multiple technologies (perl, php, JS) all lumped on top of each other and probably with multiple developers interacting and unaware of the possible holes they may be creating.

It's a pretty complex system, when a system gets complex you're bound to have holes in it.

EDIT: This may also be related to a recent "site theft" of the eLance database. An off-shore site sprung up containing all the provider's info without their knowledge. It's been taken down by the ISP only to reappear a few days later.

I will say, the staff is proactive in going after the thieves, but you know the difficulties in actually finding them. It may never end.

JohnRoy

4:42 pm on Jul 17, 2009 (gmt 0)

Sign up for, and PASS a securityMetrics scan might help.

Any small e-commerce site that accepts credit cards, even if they use a third-party for CC, need by Visa/MC regulations to sign up for PCI compliance.
Talk about a huge provider like elance, I doubt they didn't signup and pass this test.

Hackers just were one step forward.

rocknbil

5:00 pm on Jul 17, 2009 (gmt 0)

discovered a security hole on an unprotected page that enabled them to access a data table that contained contact information

If the page was unprotected, it would be public, if it was public, S.M. can scan it, if it didn't detect an XSS or injection vulnerability, it seems to indicate either S.M. is not doing as well as it should be or a scan was never run. Just my take without further knowledge . . . I've had to bring servers up to S.M. validation (except for system vulnerabilities) and I can testify . . . they are brutal.

However if an S.M. scan was run and eLance can verify this, it turns our attention to securityMetrics.

JohnRoy

5:16 pm on Jul 17, 2009 (gmt 0)

Security Metrics would run scheduled scans once a month (or a little more). It's not there all the time.

The unprotected page might have been added or edited between the scans.

Just another suggestion.